A stealthy ransomware campaign called JanaWare is targeting Turkish users through phishing emails and advanced malware techniques.
Quick Summary – TLDR:
- JanaWare ransomware targets users in Turkey using a customized Adwind RAT.
- Campaign active since 2020, still ongoing with recent samples seen in 2025.
- Uses low ransom demands between $200 and $400 for quick payouts.
- Relies on phishing emails and geofencing to stay hidden and avoid detection.
What Happened?
Cybersecurity researchers have uncovered a long running ransomware campaign known as JanaWare that focuses exclusively on Turkish users. The campaign uses phishing emails and a modified version of the Adwind remote access Trojan to infect systems and encrypt files. Despite being active for years, its narrow geographic targeting has helped it stay largely unnoticed.
Turkish 🇹🇷-focused JanaWare ransomware operates since 2020 using geofenced Adwind RAT with polymorphic capabilities. Targets home users via phishing with $200-400 demands, staying under the radar through regional restrictions.#DFIR_Radar pic.twitter.com/e2I0EI0DOA
— DFIR Radar (@DFIR_Radar) April 15, 2026
A Targeted and Persistent Campaign
Security researchers say the JanaWare operation has likely been active since at least 2020, with newer malware samples compiled as recently as late 2025. The campaign is not designed for global spread. Instead, it focuses specifically on users in Turkey, making it a highly localized cyber threat.
The attackers appear to follow a low value high volume strategy. Instead of demanding large payments from enterprises, they ask victims for relatively small ransoms ranging from $200 to $400. This approach increases the chances of quick payments from individuals and small businesses.
Victims are mainly:
- Home users
- Small and medium sized businesses
This sets JanaWare apart from major ransomware operations that typically go after large organizations for bigger payouts.
How the Attack Works?
The infection chain starts with phishing emails, often delivered through Microsoft Outlook. These emails contain links, usually hosted on Google Drive, that trick users into downloading malicious Java archive files.
Once the file is opened, the attack unfolds in stages:
- A Java based payload is executed using javaw.exe.
- A customized version of the Adwind RAT is deployed.
- The malware downloads the ransomware module.
- Files across the system are encrypted.
The ransomware then drops a note titled “ONEMLI NOT”, which means Important Note in Turkish, instructing victims on how to proceed.
Attackers typically ask victims to communicate through qTox, a decentralized messaging platform, or through Tor-based websites to maintain anonymity.
Advanced Evasion and Technical Design
JanaWare uses several advanced techniques to avoid detection and analysis. The malware includes heavy obfuscation using tools like Stringer and Allatori, making it difficult for researchers to reverse engineer.
It also uses polymorphism, meaning each infected file appears different. A component called FilePumper adds random data to the malware, creating unique file signatures that bypass traditional detection methods.
Another key feature is its modular design. The malware loads configuration settings that define:
- Command and control servers.
- Communication channels over Tor.
- Persistence mechanisms.
- Encryption keys and authentication tokens.
This allows attackers to adapt and update the malware without changing its core structure.
Strict Geofencing Limits Exposure
One of JanaWare’s most notable traits is its strict geographic targeting. Before executing, the malware checks:
- System language
- Locale settings
- External IP location
If the system is not located in Turkey or does not match Turkish settings, the malware stops execution.
This geofencing strategy serves two purposes:
- Ensures attacks focus only on intended victims.
- Reduces visibility to international cybersecurity researchers.
By limiting its reach, the campaign has managed to stay under the radar for several years.
System Takeover and File Encryption
Once inside a valid system, the malware weakens defenses before encrypting files. It performs several actions:
- Disables Microsoft Defender.
- Deletes shadow copies to prevent recovery.
- Turns off Windows updates.
- Interferes with security tools.
After that, it encrypts files using AES encryption and communicates with its control servers over the Tor network. The encryption key is sent externally, making file recovery nearly impossible without paying the ransom.
A Growing Trend in Ransomware
The JanaWare campaign reflects a broader shift in the ransomware landscape. Instead of large, high profile attacks, cybercriminals are increasingly turning to smaller, targeted campaigns.
Recent data shows:
- Dozens of new ransomware variants emerging each year.
- A move toward fragmented and localized operations.
- Increased use of evasion techniques like geofencing and polymorphism.
These changes make ransomware harder to track and disrupt, even if individual campaigns appear smaller in scale.
SQ Magazine’s Takeaway
I think this is a clear sign that ransomware is evolving in a very smart way. Instead of going big and getting attention, attackers are staying quiet and focused. JanaWare may not sound as dangerous as global ransomware gangs, but its strategy makes it effective and hard to stop.
What stands out to me is how carefully this campaign is designed. From targeting only Turkish users to keeping ransom amounts low, everything is optimized for success without drawing attention. This is exactly the kind of threat that can grow quietly and cause real damage over time.
