Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A threat cluster is using a customized variant of the Java-based Adwind RAT to deploy a ransomware payload known as JanaWare. The activity is primarily aimed at users in Turkey, with the malware performing locale and IP-based checks before continuing execution. Researchers have tracked related samples since 2020, while more recent command-and-control activity indicates the campaign remained active in 2025.
Investigation
The Acronis TRU team examined malicious JAR files distributed through phishing emails that were launched through Outlook and Chrome. Once executed, the infection chain moved to javaw.exe, which loaded the tailored Adwind RAT strain and later deployed the JanaWare ransomware component. Analysis also showed the use of polymorphic JAR files, Tor-based command-and-control infrastructure, and a ransom note written in Turkish.
Mitigation
Defenders should block the malicious domain elementsplugin.duckdns.org and any associated ports, while restricting the execution of unsigned Java JAR files across the environment. Security teams should also watch for suspicious chrome.exe command lines tied to downloads from Google Drive and strengthen email protections against phishing delivery. Endpoint defenses should be tuned to identify Adwind RAT behavior as well as suspicious file-encryption activity linked to ransomware execution.
Response
If infection is suspected, isolate affected systems immediately, terminate javaw.exe and any related malicious processes, and capture volatile evidence before shutdown or cleanup. Recovery efforts should prioritize restoring files from verified clean backups. Incident response teams should also gather available command-and-control telemetry and evaluate whether law enforcement notification is appropriate in cases involving ransom demands or extortion.
"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccccff classDef operator fill:#ff9900 %% Nodes action_phishing["<b>Action</b> – <b>T1566 Phishing</b>: Send phishing email with malicious Google Drive link"] class action_phishing action tool_malicious_link["<b>Tool</b> – <b>Name</b>: Malicious Google Drive link"] class tool_malicious_link tool action_user_exec["<b>Action</b> – <b>T1204.001 User Execution</b>: Victim clicks link; Chrome downloads malicious JAR"] class action_user_exec action process_chrome["<b>Process</b> – Chrome browser"] class process_chrome process malware_obf_jar["<b>Malware</b> – Obfuscated JAR (Allatori/Stringer)"] class malware_obf_jar malware process_javaw["<b>Process</b> – javaw.exe (JamPlus)"] class process_javaw process action_obfuscation["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b>: Uses polymorphic code, junk insertion, dynamic API resolution"] class action_obfuscation action action_persistence["<b>Action</b> – <b>T1547.014 Active Setup</b>: Writes registry entry for autou2011start"] class action_persistence action action_impair_defense["<b>Action</b> – <b>T1562 Impair Defenses</b>: Disables Microsoft Defender, Windows Update, VSS via PowerShell and registry"] class action_impair_defense action process_powershell["<b>Process</b> – PowerShell"] class process_powershell process action_recovery_inhibit["<b>Action</b> – <b>T1490 Inhibit System Recovery</b> and <b>T1070.004 File Deletion</b>: Removes shadow copies and deletes files"] class action_recovery_inhibit action action_encrypt["<b>Action</b> – <b>T1486 Data Encrypted for Impact</b>: Downloads ransomware module, encrypts files with AES, drops Turkish ransom note"] class action_encrypt action malware_ransomware["<b>Malware</b> – Ransomware module"] class malware_ransomware malware action_c2_obfusc["<b>Action</b> – <b>T1001 Data Obfuscation</b> and <b>T1102.003 Web Service: Oneu2011Way Communication</b>: Uses Tor for C2 traffic"] class action_c2_obfusc action tool_tor["<b>Tool</b> – Tor network"] class tool_tor tool action_exfil["<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b> and <b>T1020 Automated Exfiltration</b>: Sends selected files through Tor channel"] class action_exfil action %% Connections action_phishing –>|delivers| tool_malicious_link tool_malicious_link –>|opened by victim leads to| action_user_exec action_user_exec –>|downloads via| process_chrome process_chrome –>|saves and launches| malware_obf_jar malware_obf_jar –>|executed by| process_javaw process_javaw –>|performs| action_obfuscation process_javaw –>|establishes| action_persistence action_persistence –>|writes registry for| action_impair_defense action_impair_defense –>|uses| process_powershell action_impair_defense –>|enables| action_recovery_inhibit action_recovery_inhibit –>|precedes| action_encrypt action_encrypt –>|loads| malware_ransomware malware_ransomware –>|communicates via| action_c2_obfusc action_c2_obfusc –>|routes through| tool_tor tool_tor –>|enables| action_exfil malware_ransomware –>|exfiltrates data| action_exfil "
Attack Flow
Detections
Java App Execution from Suspicious Location (via process_creation)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns)
View
Possible IP Lookup Domain Communications Attempted (via dns)
View
Possible Dynamic DNS Service Was Contacted (via dns)
View
IOCs (SourceIP) to detect: New JanaWare ransomware targets Turkey via Adwind RAT
View
IOCs (DestinationIP) to detect: New JanaWare ransomware targets Turkey via Adwind RAT
View
PowerShell Commands to Disable or Weaken Microsoft Defender [Windows Powershell]
View
JanaWare Ransomware Delivery via Phishing and Java Archive Execution [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker who has gained low‑privilege user access wishes to disable Windows Defender to pave the way for ransomware deployment. Leveraging the signedpowershell.exebinary (T1218.001), the attacker runs a one‑liner that disables real‑time monitoring and disables cloud‑based protection, thereby weakening the endpoint’s defensive posture.# Disable real‑time monitoring and cloud‑based protection Set-MpPreference -DisableRealtimeMonitoring $true -MAPSReporting DisableThe command line contains the
Set-MpPreferencekeyword, which matches the detection rule’sselectioncriteria. -
Regression Test Script: The following self‑contained PowerShell script reproduces the attack and ensures the telemetry is generated.
# ============================== # Simulation: Disable Microsoft Defender # ============================== try { Write-Host "[*] Disabling real‑time monitoring..." Set-MpPreference -DisableRealtimeMonitoring $true -MAPSReporting Disable Write-Host "[+] Defender disabled." } catch { Write-Error "Failed to modify Defender preferences: $_" } -
Cleanup Commands: Restore the original Defender configuration to avoid leaving the endpoint exposed.
# Re‑enable real‑time monitoring and cloud protection Set-MpPreference -DisableRealtimeMonitoring $false -MAPSReporting Advanced Write-Host "[*] Defender restored to default state."