JanaWare Ransomware Targets Turkish Users via Customized Adwind RAT
Malware coverage focused on infection paths, containment steps and indicators defenders should watch.

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.
The published article is checked against public sources before publication, and material corrections are reflected in the article update date.
Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for infrastructure impact, containment order and whether persistence or lateral-movement claims are supported by evidence. His administrator note is concrete: isolate the host or segment first, protect logs and network telemetry, then rebuild, rotate or patch only within the scope supported by the 1 corroborating source, the same cautious sequence he would use around managed router and server environments.
Review our editorial policy or send corrections to [email protected].
Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.
A sophisticated ransomware campaign named JanaWare is actively targeting users in Turkey by deploying a tailored version of the Adwind Remote Access Trojan (RAT). The attackers employ stealthy delivery methods, geographic filtering, and polymorphic malware techniques to evade detection and maintain persistence.
What happened
A new ransomware campaign, identified as JanaWare, has been discovered targeting computer systems specifically in Turkey. The threat actors behind this campaign utilize a customized variant of the Adwind Remote Access Trojan (RAT) as the initial infection vector. Once the RAT gains access, the ransomware payload is deployed, encrypting victims' files and demanding ransom payments.
The attackers have implemented several advanced tactics to enhance the campaign's effectiveness and stealth, including polymorphic malware that changes its code to avoid signature-based detection, and geographic restrictions that limit infections to Turkish IP addresses, thereby reducing exposure to international cybersecurity defenses.
Confirmed facts
- JanaWare is a ransomware strain actively targeting Turkish users.
- The infection begins with a tailored version of the Adwind RAT, a well-known cross-platform remote access Trojan.
- The malware employs polymorphic techniques to evade antivirus and endpoint detection systems.
- Geographic filtering restricts the attack to systems located within Turkey.
- The campaign has demonstrated long-term activity, indicating sustained efforts by the threat actors.
Who is affected
The primary victims are individual users and organizations operating within Turkey. Given the geographic filtering, systems outside Turkey appear to be largely unaffected by this specific campaign. However, any Turkish entity with internet-facing systems or susceptible endpoints could be at risk.
What to do now
If you are based in Turkey or manage systems within the country, consider the following immediate steps:
- Identify potential infections: Monitor for unusual system behavior, unexpected file encryption, or alerts from security tools indicating Adwind RAT or ransomware activity.
- Isolate infected machines: Disconnect compromised devices from the network to prevent lateral movement.
- Restore from backups: If backups exist, restore affected data after ensuring the malware is fully removed.
- Report incidents: Notify local cybersecurity authorities or CERT teams to aid in tracking and mitigating the campaign.
- Update security software: Ensure antivirus and endpoint detection systems are up to date with the latest signatures and heuristics.
Why this matters
The JanaWare campaign exemplifies a growing trend of highly targeted ransomware attacks that leverage sophisticated malware variants and operational security measures to evade detection. By focusing on a specific geographic region and employing polymorphic code, the attackers increase their chances of success and complicate incident response efforts.
This campaign also highlights the persistent threat posed by RATs like Adwind, which serve as versatile tools for initial compromise, enabling attackers to deploy ransomware or other malicious payloads.
What defenders should verify
Security teams should:
- Check for indicators of compromise (IOCs) related to Adwind RAT and JanaWare ransomware.
- Review network logs for unusual connections to known Adwind command-and-control servers.
- Validate endpoint protection solutions are capable of detecting polymorphic malware.
- Confirm geographic filtering mechanisms are not inadvertently allowing malicious traffic.
- Conduct threat hunting exercises focusing on Turkish IP ranges and systems.
Prevention
To reduce the risk of infection by JanaWare or similar ransomware campaigns, organizations and users should:
- Implement strong email filtering and phishing awareness training to prevent initial RAT delivery.
- Maintain regular, offline backups of critical data.
- Apply timely security patches and updates to operating systems and applications.
- Use multi-factor authentication to limit unauthorized access.
- Employ network segmentation to contain potential infections.
- Monitor for anomalous activity indicative of RAT presence or ransomware behavior.
Sources and corroboration
This article is based on detailed analysis and reporting from GBHackers Security, a globally trusted cybersecurity news platform, which provided comprehensive insights into the JanaWare ransomware campaign and its use of a customized Adwind RAT variant targeting Turkish users.
Source: [GBHackers Security](https://gbhackers.com/janaware-ransomware-attack/)
Sources used for this article
gbhackers.com
