• Home
  • cyber
  • JanaWare: JanaWare Ransomware Hits Turkish Users via Tailored Adwind RAT
cyber Ransomware

JanaWare: JanaWare Ransomware Hits Turkish Users via Tailored Adwind RAT

Nov 1, 2025 2 min read
JanaWare: JanaWare Ransomware Hits Turkish Users via Tailored Adwind RAT

JanaWare Ransomware Campaign Targets Turkish Users with Stealthy Adwind RAT Variant

A newly uncovered ransomware campaign, dubbed JanaWare, is actively targeting users in Turkey using a customized version of the Adwind Remote Access Trojan (RAT). The operation employs geofencing, polymorphic malware, and layered obfuscation to evade detection while maintaining long-term persistence.

First observed in 2020, with recent samples compiled as late as November 2025, JanaWare restricts infections to systems in Turkey by verifying language settings, locale configurations, and IP addresses. This localized approach has allowed the campaign to operate under the radar, avoiding broader security scrutiny.

The attack begins with phishing emails that lure victims into clicking malicious links, often hosted on Google Drive. These links download a Java archive (JAR) file, which executes via javaw.exe to deploy the Adwind-based payload. The malware then disables security defenses including Microsoft Defender, Volume Shadow Copies, and third-party antivirus tools before downloading a Java-based ransomware module.

JanaWare encrypts files using AES encryption and communicates with command-and-control (C2) servers over the Tor network. Ransom demands range between $200 and $400, targeting home users and small-to-medium-sized businesses (SMBs) with a high-volume, low-cost extortion strategy. Victims receive a Turkish-language ransom note directing them to contact attackers via qTox or Tor-based .onion sites.

To evade detection, the malware employs polymorphic techniques, modifying its JAR file with random data to generate unique hashes per infection. It also uses obfuscation tools like Stringer and Allatori, along with custom class loaders, to hinder reverse engineering.

Security researchers warn that JanaWare exemplifies a growing trend of regionally focused ransomware operations that exploit localized vulnerabilities while avoiding global attention. Indicators of compromise (IOCs) include the MD5 hashes 4f0444e11633a331eddb0deeec17fd69 (Adwind RAT) and b2d5bbf7746c2cb87d5505ced8d6c4c6 (ransomware module).

Source: https://gbhackers.com/janaware-ransomware-attack/

Acronis cybersecurity rating report: https://www.rankiteo.com/company/acronis

"id": "ACR1776673520",
"linkid": "acronis",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'location': 'Turkey',
                        'type': ['Home users',
                                 'Small-to-medium-sized businesses (SMBs)']}],
 'attack_vector': 'Phishing emails with malicious links (Google Drive-hosted)',
 'customer_advisories': 'Turkish-language ransom note directing victims to '
                        'contact attackers via qTox or Tor-based .onion sites',
 'data_breach': {'data_encryption': 'AES encryption',
                 'type_of_data_compromised': 'Files (encrypted)'},
 'date_detected': '2020',
 'date_publicly_disclosed': '2025-11',
 'description': 'A newly uncovered ransomware campaign, dubbed *JanaWare*, is '
                'actively targeting users in Turkey using a customized version '
                'of the Adwind Remote Access Trojan (RAT). The operation '
                'employs geofencing, polymorphic malware, and layered '
                'obfuscation to evade detection while maintaining long-term '
                'persistence.',
 'impact': {'data_compromised': 'Files encrypted using AES encryption',
            'operational_impact': 'Disabling of security defenses (Microsoft '
                                  'Defender, Volume Shadow Copies, third-party '
                                  'antivirus tools)',
            'systems_affected': 'Systems in Turkey (home users and SMBs)'},
 'initial_access_broker': {'entry_point': 'Phishing emails with malicious '
                                          'links'},
 'lessons_learned': 'JanaWare exemplifies a growing trend of regionally '
                    'focused ransomware operations that exploit localized '
                    'vulnerabilities while avoiding global attention.',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'root_causes': 'Geofencing, polymorphic malware, '
                                           'layered obfuscation, and evasion '
                                           'of security defenses'},
 'ransomware': {'data_encryption': 'AES encryption',
                'ransom_demanded': ['$200', '$400'],
                'ransomware_strain': 'JanaWare (Adwind RAT variant)'},
 'references': [{'source': 'Security researchers'}],
 'title': 'JanaWare Ransomware Campaign Targets Turkish Users with Stealthy '
          'Adwind RAT Variant',
 'type': 'Ransomware'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.