HackWatch
! High riskMW Malware

JanaWare Ransomware Targets Turkish Users via Customized Adwind RAT

Malware coverage focused on infection paths, containment steps and indicators defenders should watch.

Malware activity flagged. Isolate affected systems, preserve logs and block persistence or command-and-control channels before recovery.
JanaWare Ransomware Targets Turkish Users via Customized Adwind RAT - HackWatch malware alert image
HackWatch malware alert image for: JanaWare Ransomware Targets Turkish Users via Customized Adwind RAT
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Marcin Pocztowski

Published: Apr 20, 2026

Updated: May 01, 2026

Incident status: Active threat

Corroborating sources: 1

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for infrastructure impact, containment order and whether persistence or lateral-movement claims are supported by evidence. His administrator note is concrete: isolate the host or segment first, protect logs and network telemetry, then rebuild, rotate or patch only within the scope supported by the 1 corroborating source, the same cautious sequence he would use around managed router and server environments.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

A sophisticated ransomware campaign named JanaWare is actively targeting users in Turkey by deploying a tailored version of the Adwind Remote Access Trojan (RAT). The attackers employ stealthy delivery methods, geographic filtering, and polymorphic malware techniques to evade detection and maintain persistence.

What happened

A new ransomware campaign, identified as JanaWare, has been discovered targeting computer systems specifically in Turkey. The threat actors behind this campaign utilize a customized variant of the Adwind Remote Access Trojan (RAT) as the initial infection vector. Once the RAT gains access, the ransomware payload is deployed, encrypting victims' files and demanding ransom payments.

The attackers have implemented several advanced tactics to enhance the campaign's effectiveness and stealth, including polymorphic malware that changes its code to avoid signature-based detection, and geographic restrictions that limit infections to Turkish IP addresses, thereby reducing exposure to international cybersecurity defenses.

Confirmed facts

  • JanaWare is a ransomware strain actively targeting Turkish users.
  • The infection begins with a tailored version of the Adwind RAT, a well-known cross-platform remote access Trojan.
  • The malware employs polymorphic techniques to evade antivirus and endpoint detection systems.
  • Geographic filtering restricts the attack to systems located within Turkey.
  • The campaign has demonstrated long-term activity, indicating sustained efforts by the threat actors.

Who is affected

The primary victims are individual users and organizations operating within Turkey. Given the geographic filtering, systems outside Turkey appear to be largely unaffected by this specific campaign. However, any Turkish entity with internet-facing systems or susceptible endpoints could be at risk.

What to do now

If you are based in Turkey or manage systems within the country, consider the following immediate steps:

  1. Identify potential infections: Monitor for unusual system behavior, unexpected file encryption, or alerts from security tools indicating Adwind RAT or ransomware activity.
  2. Isolate infected machines: Disconnect compromised devices from the network to prevent lateral movement.
  3. Restore from backups: If backups exist, restore affected data after ensuring the malware is fully removed.
  4. Report incidents: Notify local cybersecurity authorities or CERT teams to aid in tracking and mitigating the campaign.
  5. Update security software: Ensure antivirus and endpoint detection systems are up to date with the latest signatures and heuristics.

Why this matters

The JanaWare campaign exemplifies a growing trend of highly targeted ransomware attacks that leverage sophisticated malware variants and operational security measures to evade detection. By focusing on a specific geographic region and employing polymorphic code, the attackers increase their chances of success and complicate incident response efforts.

This campaign also highlights the persistent threat posed by RATs like Adwind, which serve as versatile tools for initial compromise, enabling attackers to deploy ransomware or other malicious payloads.

What defenders should verify

Security teams should:

  • Check for indicators of compromise (IOCs) related to Adwind RAT and JanaWare ransomware.
  • Review network logs for unusual connections to known Adwind command-and-control servers.
  • Validate endpoint protection solutions are capable of detecting polymorphic malware.
  • Confirm geographic filtering mechanisms are not inadvertently allowing malicious traffic.
  • Conduct threat hunting exercises focusing on Turkish IP ranges and systems.

Prevention

To reduce the risk of infection by JanaWare or similar ransomware campaigns, organizations and users should:

  • Implement strong email filtering and phishing awareness training to prevent initial RAT delivery.
  • Maintain regular, offline backups of critical data.
  • Apply timely security patches and updates to operating systems and applications.
  • Use multi-factor authentication to limit unauthorized access.
  • Employ network segmentation to contain potential infections.
  • Monitor for anomalous activity indicative of RAT presence or ransomware behavior.

Sources and corroboration

This article is based on detailed analysis and reporting from GBHackers Security, a globally trusted cybersecurity news platform, which provided comprehensive insights into the JanaWare ransomware campaign and its use of a customized Adwind RAT variant targeting Turkish users.

Source: [GBHackers Security](https://gbhackers.com/janaware-ransomware-attack/)

Sources used for this article

gbhackers.com

Marcin Pocztowski

Real reviewer profile

Marcin Pocztowski

Infrastructure Security Editor at HackWatch.io

Open reviewer profile

Marcin Pocztowski is the owner of MMPS and an infrastructure security editor for HackWatch. His public technical record spans 20 years, from Security+ evidence dated January 2006 through Juniper, Cisco and RHCSA records, and he reviews server, network and vulnerability-response coverage for source accuracy and practical remediation.

Infrastructure Security Editor: technical-density, source-existence and remediation-logic review for infrastructure and vulnerability coverage.

Coverage focus: Server and network hardening, vulnerability response, patch prioritization and infrastructure security review

Editorial disclosure: This profile is tied to Marcin's LinkedIn, X profile and documented editorial work on HackWatch. Historical certificates are treated as background evidence only, not as current active credentials.

Marcin leads this malware alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "JanaWare Ransomware Targets Turkish Users via Customized Adwind RAT".

Technical review: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Server and network infrastructure administrationKnown exploited vulnerabilities and patch prioritizationCVSS v4.0 and CISA KEV triage