JanaWare Ransomware: Six-Year Campaign Targeting Turkish Home Users and SMBs with Advanced Geo-Fencing and Evasion Techniques

A sophisticated and persistent ransomware campaign has been targeting Turkish home users and small-to-medium businesses (SMBs) for at least six years, leveraging a strain identified as JanaWare. This campaign is distinguished by its exclusive focus on Turkish victims, achieved through rigorous geofencing and language checks, and by its use of advanced evasion techniques. The attackers employ low ransom demands, typically ranging from $200 to $400 USD, and utilize decentralized communication channels such as qTox to avoid law enforcement and takedown efforts. The campaign’s longevity and regional targeting have enabled it to operate largely undetected by global cybersecurity vendors, posing a significant and ongoing threat to Turkish digital infrastructure.

The threat actors behind the JanaWare campaign are believed to be a regional cybercriminal group with deep familiarity with Turkish language, culture, and internet infrastructure. There is no evidence linking this campaign to any known nation-state Advanced Persistent Threat (APT) groups. The attackers’ primary motivation appears to be financial gain through a low-value, high-volume extortion model. Their operational security is enhanced by strict geofencing, Turkish-language lures, and the use of decentralized, peer-to-peer communication protocols, all of which are designed to minimize exposure to international law enforcement and security researchers.

JanaWare is delivered primarily through phishing emails, often sent via Microsoft Outlook, containing malicious Java Archive (JAR) files hosted on Google Drive. The initial infection vector is a heavily obfuscated variant of the Adwind Remote Access Trojan (RAT), which acts as a loader for the ransomware payload. Upon execution, the malware performs a series of locale, language, and external IP geolocation checks to ensure it is running on a Turkish system. If these checks fail, the malware terminates, effectively preventing analysis and execution outside Turkey.

Once the environment is validated, JanaWare encrypts user files and drops a ransom note written in Turkish, instructing victims to contact the attackers via qTox, a decentralized, peer-to-peer chat application based on the Tox protocol. In some cases, communication is also facilitated through Tor-based .onion sites. The ransomware employs advanced obfuscation techniques, including the use of Stringer and Allatori obfuscators, and polymorphic JARs that generate unique hashes for each infection, complicating detection and analysis.

The malware’s persistence mechanisms leverage the capabilities of Adwind RAT, enabling boot or logon autostart execution. Network communications are routed through the Tox protocol and, in some instances, through Tor, further hindering attribution and takedown efforts. Known command-and-control (C2) infrastructure includes domains such as elementsplugin.duckdns.org on ports 49152 and 49153, with observed IP addresses like 151.243.109.115.

The JanaWare campaign has been active since at least 2020, with evidence of infections dating back several years. Victims are typically Turkish home users and SMBs, as confirmed by reports on Turkish-language forums and international cybersecurity publications. The attack chain begins with a phishing email containing a Google Drive link to a malicious JAR file. When executed, the Adwind RAT loader installs JanaWare, which then encrypts files and displays a ransom note in Turkish. Victims are instructed to contact the attackers via qTox or, less commonly, via a Tor .onion site for payment instructions.

The campaign’s strict geofencing ensures that only Turkish systems are affected, and its use of decentralized communication channels makes it resilient to traditional takedown methods. Public reports from Acronis, The Record, and BleepingComputer confirm ongoing infections and ransom payments, with no significant law enforcement interventions reported as of April 2026.

The primary targets of the JanaWare campaign are Turkish-speaking individuals and organizations, specifically home users and SMBs. The malware’s execution is contingent upon the system locale being set to Turkish and the external IP address geolocating to Turkey. This targeted approach minimizes collateral damage and reduces the likelihood of attracting international attention. The attackers exploit the relative lack of advanced cybersecurity defenses among home users and smaller businesses, leveraging social engineering tactics such as phishing emails with convincing Turkish-language content and legitimate-looking Google Drive links.

Victim reports indicate that the attackers are indiscriminate within their chosen demographic, seeking to maximize the number of infections and subsequent ransom payments. The low ransom amounts are calibrated to increase the likelihood of payment, particularly among individuals and small organizations with limited resources for incident response or data recovery.

To defend against the JanaWare ransomware campaign, organizations and individuals should implement a multi-layered security strategy. Email security solutions should be configured to detect and quarantine phishing emails, especially those containing Google Drive links or JAR attachments. User awareness training is critical, with a focus on recognizing phishing attempts and the dangers of executing unsolicited Java files.

Endpoint protection platforms must be capable of detecting Java-based malware and obfuscated payloads, with specific attention to the behaviors associated with Adwind RAT and polymorphic JAR files. Network monitoring should include detection of outbound connections to the Tox protocol and known C2 infrastructure, such as elementsplugin.duckdns.org and associated IP addresses.

Where possible, the Java Runtime Environment (JRE) should be removed from endpoints that do not require it, and execution of JAR files should be restricted. Regular, offline backups are essential to ensure rapid recovery in the event of a ransomware infection. In the event of compromise, victims should preserve forensic evidence and consult with Turkish CERT or law enforcement before considering ransom payment.

• The Record: New ‘JanaWare’ ransomware targeting Turkish citizens as cybercriminal ecosystem fragments (April 2026)
• Acronis Threat Report (cited in The Record)
• CYFIRMA Weekly Intelligence Report – 10 October 2025
• MITRE ATT&CK TTPs
• TRM Labs Ransomware Report (April 2026, cited in The Record)
• GBHackers: JanaWare Ransomware Hits Turkish Users via Customized Adwind RAT
• BleepingComputer: User reports on Turkish ransomware infections

Rescana is a leader in Third-Party Risk Management (TPRM), providing organizations with advanced tools to identify, assess, and mitigate cyber risks across their digital supply chains. Our platform leverages cutting-edge threat intelligence and automation to deliver actionable insights, helping clients stay ahead of emerging threats and maintain robust cybersecurity postures. For more information or to discuss how Rescana can support your organization’s risk management strategy, we are happy to answer questions at ops@rescana.com.

• Cybersecurity Incident Analysis