JanaWare
JanaWare is a ransomware family used in a geographically focused campaign targeting victims in Turkey, primarily home users and small to medium-sized businesses. Reporting attributes delivery to a customized Java-based Adwind RAT used as a loader and staging mechanism. Initial access is typically via phishing emails that deliver or link to malicious Java archive (JAR) files, including observed chains where Outlook opens a phishing message, Chrome retrieves a Google Drive-hosted payload, and the JAR executes via javaw.exe.
The malware is heavily obfuscated and polymorphic. Reported protections include the Java obfuscators Stringer and Allatori, custom class loaders, and a FilePumper component that modifies its own JAR by adding random content, inflating file size and causing different hashes per deployment. Embedded configuration reportedly includes a command-and-control domain, TCP ports, Tor-related paths, a version identifier, persistence-related settings, and a static PASSWORD value used both for initial authentication and for decrypting downloaded payloads.
JanaWare enforces strict geofencing. It checks system locale, language, country settings, and external IP geolocation, and proceeds only when Turkish regional indicators are present, including country code beginning with TR. If checks pass, the malware executes PowerShell and registry commands to weaken defenses, including attempts to disable or reduce Microsoft Defender protections, suppress security notifications, remove Volume Shadow Copy recovery mechanisms, hide ransomware protection features, enumerate installed antivirus products, and interfere with endpoint protection integrations.
After preparation, the Adwind-based loader downloads a Java ransomware plugin associated with JanaWare. The ransomware module reportedly communicates exclusively over Tor, uses AES encryption, and can encrypt files across available drives; reporting also states it can delete and exfiltrate files. During C2 handshake it uses the prefix JANAWARE. It drops Turkish-language ransom notes in multiple folders using partially randomized filenames with the fixed prefix ONEMLI_NOT. Victims are instructed to contact the operators via qTox and in some cases through a Tor Browser-accessible .onion site. Observed ransom demands were approximately $200 to $400, consistent with a low-value, high-volume extortion model.
The campaign has been assessed as active since at least 2020, with reporting indicating infrastructure remained active as late as November 2025. High-confidence infrastructure and sample indicators mentioned in the content include elementsplugin.duckdns.org resolving to 151.243.109.115 on ports 49152 and 49153; sample hash 4f0444e11633a331eddb0deeec17fd69 associated with Adwind RAT; and sample hash b2d5bbf7746c2cb87d5505ced8d6c4c6 associated with the JanaWare ransomware module.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Stealth
5 techniques
Stealth
JanaWare uses multiple layers of obfuscation to hinder analysis. Researchers observed the use of publicly available tools like Stringer and Allatori, combined with custom class loaders that complicate reverse engineering.
The malware modifies its own JAR file using a component called “FilePumper,” inserting random data to generate unique file hashes for each infection.
Remove recovery mechanisms such as Microsoft Volume Shadow Copy Service (VSS).
Defense Impairment
1 technique
Defense Impairment
Discovery
3 techniques
Discovery
Command and Control
3 techniques
Command and Control
Additionally, the malware contains hardcoded configuration data, including command-and-control (C2) infrastructure, authentication tokens, and TOR network settings for anonymized communication.
Impact
2 techniques
Impact
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware targeting home users and SMBs in Turkey. It is selectively dropped after initial compromise, performs geofencing for Turkish systems, weakens defenses via PowerShell and registry changes, encrypts files with AES, sends the key to C2 over Tor, and drops Turkish-language ransom notes.
Regionally focused ransomware targeting users in Turkey. It uses phishing emails and Google Drive-hosted JAR payloads, applies geofencing checks for Turkish locale indicators, disables security defenses via PowerShell, downloads a Java-based ransomware module, encrypts files with AES, and communicates with C2 over Tor.
Localized ransomware strain targeting victims in Turkey, encrypting victim data and using low ransom demands to support a high-volume profit model. It applies execution constraints based on system locale and IP geolocation and delivers ransom notes in Turkish.
Ransomware targeting users in Turkey. It is selectively deployed after reconnaissance via a customized Adwind RAT, then encrypts documents, archives, images, and databases, renames files with a campaign-specific extension, and drops a ransom note with Turkish-language instructions.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.