Acronis TRU discovered a new ransomware called JanaWare that, using the Adwind Java RAT, has been targeting home users and SMBs in Turkey since 2020. Read the full story on the polymorphic malware Tor-based C2 and Turkish ransom notes here.
JanaWare Ransomware: A 5-Year Silent Campaign
In cybersecurity, the most feared thing is not the one that makes a lot of noise; the most feared thing is the one that operates silently for years without anyone noticing. This is exactly what happened with JanaWare.
On April 14, 2026 Acronis Threat Research Unit (TRU) publicly exposed a ransomware campaign that had been targeting Turkish users since 2020, i.e for more than 5 years and all this time was completely hidden from the radar of the cybersecurity industry.
The research was carried out by Jozsef Gegeny and David Catalan Alegre and what emerged is the story of a very different kind of sophisticated but intentionally small-scale operation.
How It Started A Suspicious Sample on VirusTotal
The Acronis TRU team was investigating a customized variant of the Adwind RAT when they collected some suspicious JAR archive samples on VirusTotal. Analyzing Java-based malware is usually relatively straightforward because Java bytecode is easily decompiled but when they executed these samples in a test environment and one sample did something they did not expect. A ransom note was dropped on the system. And that note was written in Turkish.
This was the moment when the direction of the investigation completely changed. The fact that the ransom note was in Turkish alone indicated that the campaign was deliberately targeting Turkey not on a global scale.
When the team found more samples and analyzed the infrastructure, it was confirmed that this was a campaign systematically targeting Turkish users and a sample compiled in November 2025 also proved that the C2 infrastructure was still active.
Adwind RAT Back with a New Twist
To understand JanaWare its important to first understand the Adwind RAT. Adwind also known as Frutas, Unrecom, AlienSpy, JSocket, and JRat, was introduced in 2012 by a developer on a Spanish-speaking hacker forum under the name Frutas RAT.
According to Kasperskys research, the malware was written in Java, allowing it to run on various platforms, including Windows, macOS, Linux, and Android. Palo Alto Networks Unit 42 documented that more than 45,000 samples of this RAT family have been collected and used in more than 2 million attacks since 2017.
According to threat intelligence from ANY.RUN in 2015 alone 1,800 people were purchasing Adwind from its official website which was a full Malware-as-a-Service platform.The Adwind variant used in the JanaWare case was quite different from the original. Operators heavily customized it specifically for Turkey and added ransomware delivery capability.
This is a selective deployment approach first gain initial access with the Adwind RAT then decide on that specific victim whether to deploy the ransomware module or not. This is not spray and pray like enterprise ransomware it was targeted.
Phishing to Ransomware Inside the Full Attack Chain
Acronis TRU reconstructed the entire sequence of infection with the help of EDR telemetry data. A Turkish user opened a phishing email in Outlook. The email contained a Google Drive link, which is a smart technique used by attackers as the Google Drive domain is trusted and most email security gateways do not consider it suspicious.
When the link was clicked the Chrome browser downloaded a malicious JAR file which was executed by the Java runtime and specifically through the javaw.exe process.This is the point where the real work of the malware begins. Upon execution of the JAR file and Adwind RAT begins its preparations checks the system, loads the configuration and establishes contact with the C2 server.
Then if the victim is on a Turkish system and the ransomware module is downloaded. Encrypted files are distributed across all available drives and ransom notes written in Turkish are dropped into multiple folders. Victims on Bleepingcomputer’s public forums have also described the same scenario opened an email in Outlook, downloaded something and files got encrypted.
Turkish Ransom Note Mystery
What makes this campaign uniquely regional is not just the Turkish ransom note, but also the carefully chosen method of contacting victims. Attackers used qTox a free open-source and decentralized messaging application that operates on the Tox peer-to-peer network and provides end-to-end encryption. qTox does not have a central server where law enforcement can send requests or access logs.
The note asking for money was written in Turkish. Here is what it says in translation:
In some cases, victims were asked to download the Tor browser and visit a .onion site where they could communicate with the attackers over an encrypted channel. The ransom demand is intentionally kept very low between $200 and $400. This is a deliberately designed choice. Enterprise ransomware groups like LockBit or Clop make multi-million dollar demands because they target large corporations.
JanaWare operators chose the exact opposite approach target home users and small to medium businesses and keep the demand low enough that victims will pay without thinking, and earn money from the volume. According to Recorded Futures The Record Acronis researchers called this a low-value and high-volume monetization approach.
Modification and Obfuscation Techniques
Security researchers are very interested in what JanaWare does to stay hidden.There is a class of malware called FilePumper which is self-modifying. When the malware is installed on the target system it doesn’t simply copy but adds random content to its JAR archive and inflating the file size by tens of megabytes.
A completely different file hash (MD5) is generated on every infected machine. This means that signature-based detection which relies on a single hash completely fails because every infected file has a unique fingerprint.
Apart from this, the malware uses two publicly available Java obfuscators Stringer and Allatori. Java bytecode is normally easily decompiled but after these obfuscators this process becomes significantly difficult. Custom class loaders are also used which enable dynamic module loading.
According to research by Kasperskys SecureList and Adwind variants historically use transport layer security protocols for C2 communication. JanaWare specifically uses Tor for C2 which makes attribution and tracking even more difficult.As you seen upper in the picture.
Geo-Fenced Attack Turkey Only
These technical details are what make JanaWare so unique. The malware runs strict checks at the beginning of its execution, checking the victims system locale, language settings and external IP geolocation. If these checks don’t confirm that the system is in Turkey and using Turkish, the malware doesn’t execute. It simply shuts down silently.
This is a double-edged sword. On one hand due to geographic restriction and the malware escaped the radars of global researchers. If your analysis environment is not set to Turkish locale and the malware will not even show up. On the other hand, the exposure of the attackers was also limited they are focused only on Turkey, there is no trace of them anywhere else.
This is the reason why it took time for Acronis TRU analysts to initially understand this pattern. They tested multiple samples and only one dropped the ransom note because it was run in the Turkish locale environment.
5 Years of Silence Why It Went Undetected
This campaign did not come on the public radar of any major security company for more than 5 years from 2020 to 2026. The answer is simple a combination of factors. First, geographic restriction does not generate meaningful signals from global threat intelligence platforms if the malware is not executed outside Turkey. Second polymorphism allows every file with a unique hash to bypass signature-based tools.
Third low ransom demands and high-profile enterprise attacks attract media attention but attacks worth $200-$400 usually do not make the news. Fourth, according to the analysis of JAR files and Java runtime Dark Reading millions of Java commands flow into enterprise networks and traditional threat intelligence does not have static rules that can reliably detect the initial JAR payload.
This combination of factors makes it almost impossible to detect, so there is no need for advanced nation-state tactics, zero-day exploits or complex infrastructure. Only careful targeting low profile and geography-aware malware that worked for 5 years.
Beyond Turkey A Global Concern
JanaWare is a strictly Turkey-focused campaign, but the lessons it imparts are universal. Localized ransomware campaigns that have small ransom demands and are limited to specific geography can remain invisible in the global threat landscape.
According to Acronis H2 2025 Cyberthreats Report email-based attacks increased 16% per organization, and phishing attacks accounted for 52% of attack vectors. JanaWares delivery mechanism is a Google Drive link from a phishing email, followed by a JAR file which is exactly the same pattern that is occurring globally.
A similar campaign could run in any country check for an Urdu or Arabic locale instead of a Turkish locale write in Urdu instead of a Turkish ransom note and use another trusted platform instead of Google Drive or OneDrive. The recipe is the same the target is different.
What Users Should Do
Remove Java runtime if it is not required on your system Java is installed as the first requirement of the attack chain. Treat links to Google Drive Dropbox or OneDrive in emails with suspicion if the sender is unexpected. Links from trusted platforms are not automatically trusted.
Never execute email attachments with unknown extensions, especially .jar, .zip or .jar. And if your business or personal system is in Turkey update foreign antivirus and EDR solutions as Acronis TRU has confirmed that JanaWare is now detected.
Conclusion
The story of JanaWare shows that in the world of cybersecurity the most obvious things aren’t always the most dangerous. This ransomware wasn’t making big news, wasn’t targeting major companies, wasn’t causing any high-profile breaches it simply operated in complete silence for five years.
This campaign might have remained invisible for many more years until an analyst from Acronis TRU tested a strange JAR file in the Turkish local environment.
