New ransomware targets Turkey via Adwind RAT
A threat cluster has been identified leveraging a customized Adwind (Java RAT) variant with polymorphic characteristics to deliver JanaWare ransomware. The campaign specifically targets Turkish users through geofencing mechanisms that check system locale and external IP geolocation. Active since at least 2020, the operation primarily affects home users and small to medium-sized businesses. Initial access occurs via phishing emails with malicious Java archives distributed through Google Drive links. The ransomware employs AES encryption and communicates over Tor networks, demanding modest ransoms between $200-$400. The malware uses multiple obfuscation techniques including Stringer and Allatori obfuscators, implements file pumping for polymorphism, and disables Windows security features before encryption. Victims are instructed to contact attackers through qTox or dedicated Tor onion sites.
AI Analysis
Technical Summary
This threat involves a customized variant of the Adwind Java RAT with polymorphic capabilities used to deliver JanaWare ransomware. The campaign specifically targets Turkish users by checking system locale and external IP geolocation. Infection vectors include phishing emails with malicious Java archive attachments hosted on Google Drive. The ransomware encrypts files using AES encryption after disabling Windows security features. It uses obfuscators such as Stringer and Allatori and implements file pumping for polymorphism to avoid detection. Communication with attackers occurs over Tor networks, and ransom demands range from $200 to $400. Indicators include specific file hashes and domains related to the campaign.
Potential Impact
The ransomware encrypts victim files using AES, rendering data inaccessible until ransom payment. It disables Windows security features, increasing the likelihood of successful encryption and persistence. The campaign targets home users and small to medium-sized businesses in Turkey, potentially causing operational disruption and financial loss. Ransom demands are relatively modest but may still impact victims financially. There are no known exploits in the wild beyond this campaign, and no official patch or remediation is available as this is malware delivered via phishing rather than a software vulnerability.
Mitigation Recommendations
No official patch or fix is available since this is malware delivered via phishing. Mitigation should focus on user awareness to avoid phishing emails, blocking malicious Java archive attachments, and restricting execution of unauthorized Java applications. Network defenses should monitor and block known malicious domains and IPs associated with the campaign. Endpoint security solutions should be updated to detect obfuscation techniques used by this malware. Since the ransomware disables Windows security features, ensuring security software is tamper-resistant and employing application whitelisting can help. Victims should avoid paying ransom and instead restore data from backups if available.
Affected Countries
Turkey
Indicators of Compromise
- hash: 4f0444e11633a331eddb0deeec17fd69
- hash: b2d5bbf7746c2cb87d5505ced8d6c4c6
- url: http://elementsplugin.duckdns.org:49152
- url: http://elementsplugin.duckdns.org:49153
- domain: elementsplugin.duckdns.org
New ransomware targets Turkey via Adwind RAT
Description
A threat cluster has been identified leveraging a customized Adwind (Java RAT) variant with polymorphic characteristics to deliver JanaWare ransomware. The campaign specifically targets Turkish users through geofencing mechanisms that check system locale and external IP geolocation. Active since at least 2020, the operation primarily affects home users and small to medium-sized businesses. Initial access occurs via phishing emails with malicious Java archives distributed through Google Drive links. The ransomware employs AES encryption and communicates over Tor networks, demanding modest ransoms between $200-$400. The malware uses multiple obfuscation techniques including Stringer and Allatori obfuscators, implements file pumping for polymorphism, and disables Windows security features before encryption. Victims are instructed to contact attackers through qTox or dedicated Tor onion sites.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a customized variant of the Adwind Java RAT with polymorphic capabilities used to deliver JanaWare ransomware. The campaign specifically targets Turkish users by checking system locale and external IP geolocation. Infection vectors include phishing emails with malicious Java archive attachments hosted on Google Drive. The ransomware encrypts files using AES encryption after disabling Windows security features. It uses obfuscators such as Stringer and Allatori and implements file pumping for polymorphism to avoid detection. Communication with attackers occurs over Tor networks, and ransom demands range from $200 to $400. Indicators include specific file hashes and domains related to the campaign.
Potential Impact
The ransomware encrypts victim files using AES, rendering data inaccessible until ransom payment. It disables Windows security features, increasing the likelihood of successful encryption and persistence. The campaign targets home users and small to medium-sized businesses in Turkey, potentially causing operational disruption and financial loss. Ransom demands are relatively modest but may still impact victims financially. There are no known exploits in the wild beyond this campaign, and no official patch or remediation is available as this is malware delivered via phishing rather than a software vulnerability.
Mitigation Recommendations
No official patch or fix is available since this is malware delivered via phishing. Mitigation should focus on user awareness to avoid phishing emails, blocking malicious Java archive attachments, and restricting execution of unauthorized Java applications. Network defenses should monitor and block known malicious domains and IPs associated with the campaign. Endpoint security solutions should be updated to detect obfuscation techniques used by this malware. Since the ransomware disables Windows security features, ensuring security software is tamper-resistant and employing application whitelisting can help. Victims should avoid paying ransom and instead restore data from backups if available.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.acronis.com/en/tru/posts/new-janaware-ransomware-targets-turkey-via-adwind-rat/"]
- Adversary
- null
- Pulse Id
- 69dfa90cbce3255033d01a33
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash4f0444e11633a331eddb0deeec17fd69 | — | |
hashb2d5bbf7746c2cb87d5505ced8d6c4c6 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://elementsplugin.duckdns.org:49152 | — | |
urlhttp://elementsplugin.duckdns.org:49153 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainelementsplugin.duckdns.org | — |
Threat ID: 69dfb66f82d89c981f6a420e
Added to database: 4/15/2026, 4:01:51 PM
Last enriched: 4/15/2026, 4:17:08 PM
Last updated: 5/31/2026, 6:41:04 AM
Views: 139
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.