Ddos 
Ransom note left by the malware | Image: The Acronis TRU team
A low-profile but remarkably persistent threat cluster has been unmasked by the Acronis TRU team, revealing a specialized ransomware campaign that has been operating in the shadows for over five years. Dubbed JanaWare, the operation leverages a customized variant of the notorious Adwind Java RAT to deliver a surgical blow to home users and small businesses.
Unlike global ransomware giants that cast a wide net, JanaWare is an “exclusive” threat. The malware utilizes sophisticated geofencing to ensure it only strikes within a specific target zone.
According to the report, “The malware enforces execution constraints based on system locale and external IP geolocation, which likely restricts activity to systems located in Turkey”. By requiring the environment to match Turkish language and region settings, the attackers achieve a dual goal: they hit their intended targets while evading the gaze of the global security community. The TRU team notes that “By limiting execution to Turkish environments, the operators can reduce exposure to international security researchers and automated analysis systems, which are often hosted outside the target region”.
The attack begins with a classic but effective maneuver—deceptive emails. Telemetry reconstructed by researchers shows a victim typically receives a phishing email through Outlook, which prompts them to click a Google Drive link. This action downloads a malicious Java archive (JAR) file.
Once executed, the malware doesn’t just install; it changes its shape. Using a class named FilePumper, the malware performs self-modification by adding random content to its own archive, inflating the file size by tens of megabytes. As a result, “each deployed instance becomes unique, producing a different file hash (e.g., MD5) on every infected machine”. This polymorphism makes traditional signature-based detection nearly useless.
JanaWare operates with a modular architecture. After passing geofencing checks, it begins a systematic dismantling of the target’s defenses. It suppresses security notifications, enumerates antivirus products, and deletes Microsoft Volume Shadow Copies to ensure that data recovery is as difficult as possible.
The final stage is the download of the ransomware module itself. This module uses AES encryption and communicates exclusively over the Tor network. Once the encryption is complete, the malware drops a ransom note written in Turkish, often using the prefix ONEMLI_NOT (Important Note).
The monetization strategy behind JanaWare is distinct from the multi-million dollar “Big Game Hunting” seen in corporate breaches. The observed ransom demands range between $200 and $400, suggesting a high-volume approach aimed at individuals and SMBs.
Researchers believe this is a deliberate choice: “This combination of consumer- and SMB-focused victimology, low ransom demands and opportunistic targeting suggests the operation is distinct from enterprise-focused ransomware campaigns, which typically prioritize high-value targets and larger payouts”.
While much of the cybersecurity world focuses on the latest headlines, JanaWare has quietly persisted since at least 2020. With a sample compiled as recently as November 2025, the associated command-and-control infrastructure remains active and evolving.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
