A newly identified cyber campaign involving JanaWare ransomware is targeting users in Turkey, with researchers linking the activity to a customized version of the Adwind Remote Access Trojan (RAT). The findings come from an analysis by researchers at Acronis’ Threat Research Unit (TRU), who identified the threat cluster during an investigation into suspicious Java-based malware samples. According to the researchers, the JanaWare ransomware operation appears to have been active since at least 2020. Evidence from malware samples and infrastructure indicates that the campaign has continued into late 2025, suggesting sustained activity with limited visibility. The attack relies on a modified Adwind RAT that includes polymorphic capabilities. This allows the malware to change its structure across infections, making detection more difficult. Combined with code obfuscation, these techniques have likely contributed to the campaign remaining relatively unnoticed. Unlike large ransomware groups that focus on high-value enterprise targets, JanaWare ransomware appears to follow a different strategy. Observed ransom demands range between $200 and $400, pointing to a model that prioritizes volume over large individual payouts.

Phishing Identified as Primary Infection Vector

The JanaWare ransomware campaign primarily spreads through phishing emails. Victims are lured into clicking malicious links, which lead to the download of a Java archive file. In many observed cases, the payload is hosted on cloud storage platforms. Telemetry data reviewed by researchers shows a consistent attack chain. A phishing email is opened in Microsoft Outlook, followed by a browser session that downloads the malicious file. The file is then executed using Java, triggering the infection. [caption id="attachment_111347" align="aligncenter" width="761"] Image Source: Acronis’ Threat Research Unit (TRU)[/caption] User reports on public cybersecurity forums also describe similar incidents, supporting the assessment that phishing is the main entry point.

Geofencing Restricts Janaware Ransomware Attacks to Turkey

A key feature of the JanaWare ransomware is its use of geofencing. The malware is designed to execute only on systems that meet specific regional criteria linked to Turkey. It checks system language, locale settings, and external IP geolocation before proceeding. If the system does not match Turkish parameters, the malicious activity is halted. Researchers note that this approach likely serves both operational and defensive purposes. It allows attackers to focus on a specific region while reducing exposure to global security monitoring and automated analysis systems.

Obfuscation and Polymorphism Hinder Detection

The JanaWare ransomware incorporates multiple techniques to evade detection. Researchers identified the use of known obfuscation tools such as Stringer and Allatori, alongside custom methods that complicate analysis. The malware also includes a self-modifying component that alters its file structure during deployment. By adding random data to its Java archive, each instance generates a unique file hash, limiting the effectiveness of signature-based detection. In addition, the malware contains embedded configuration parameters that control its behavior. These include command-and-control server details, communication ports, and authentication values used during initial connections.

Security Controls Disabled Before Encryption Stage

Before encrypting files, the malware attempts to weaken system defenses. It executes commands to disable Microsoft Defender, suppress security alerts, and remove recovery mechanisms such as Volume Shadow Copies. It also interferes with Windows Update and scans for installed antivirus software. These steps reduce the likelihood of detection or recovery once the ransomware payload is activated. The encryption process is carried out by a secondary module delivered after the initial compromise. This module uses AES encryption and communicates with command-and-control infrastructure over the Tor network.

Turkish-Language Ransom Notes Signal Targeted Approach

After encryption, the malware drops ransom notes across affected systems. These notes are written in Turkish and instruct victims to contact the attackers through encrypted communication channels such as qTox or Tor-based websites. Researchers say the consistent use of Turkish-language content, combined with geofencing, indicates a deliberate focus on users in Turkey rather than a broad, global campaign. The JanaWare ransomware campaign highlights how targeted, lower-profile operations can persist over long periods without drawing significant attention. By focusing on home users and small businesses, and keeping ransom demands relatively low, the attackers appear to maintain a steady but less visible operation. Researchers caution that such localized campaigns may continue to operate alongside larger ransomware groups, adding another layer to the evolving threat landscape.

The scale of phishing emails cyberattacks is growing, and the UAE Cyber Security Council is making it clear that the threat is far from under control. In a recent warning, the Council told Emirates News Agency (WAM) that more than 75% of cyberattacks now begin with phishing emails or fraudulent messages, underlining how attackers continue to rely on simple, deceptive tactics to gain access to sensitive systems. The advisory, shared with WAM, points to email fraud as a primary entry point for breaches involving personal accounts, financial data, and institutional systems. These messages are often designed to look legitimate, making them difficult to detect at a glance and easy to act on without verification.

Phishing Emails Cyberattacks Continue at Massive Scale

The numbers behind phishing emails cyberattacks highlight why the problem persists. According to the Council, more than 3.4 billion phishing messages are sent globally every day, targeting individuals across sectors and regions. These messages are not limited to basic scams. Many are crafted to steal login credentials, distribute malware, or collect personal information that can later be used in identity theft, extortion, or broader cyber campaigns. The volume ensures that even a small success rate can lead to significant impact. The Council noted that this type of fraud continues to spread widely, often taking advantage of gaps in user awareness and digital behaviour rather than weaknesses in technology alone.

How Phishing Emails Cyberattacks Trick Users

The UAE Cyber Security Council outlined how phishing emails cyberattacks are typically structured to push users into quick action. Messages may request urgent payments, prompt users to verify accounts, or direct them to login pages through embedded links. In many cases, these emails imitate trusted entities such as banks or service providers. Others rely on offers that appear unusually attractive, drawing users into clicking links or sharing information without proper checks. The Council also pointed to common red flags, including emails with spelling or grammatical errors, unclear sender identities, and requests for personal data without valid justification. Despite being widely recognised indicators, such tactics continue to be used because they still manage to bypass user caution.

User Awareness Remains Central to Prevention

The phishing emails cyberattacks trend places significant responsibility on users, particularly as attackers continue to refine how these messages are presented. The Council stressed that individuals and employees remain a primary target, making awareness a critical part of any defence strategy. To reduce exposure, the Council advised users to avoid interacting with suspicious links or messages and to refrain from scanning QR codes in untrusted environments. It also emphasised the importance of keeping login credentials private and enabling multi-factor authentication across accounts. Regular system updates and application patches were also highlighted as necessary steps to limit vulnerabilities that may be exploited following a phishing attempt.

Reporting Plays a Key Role in Limiting Damage

Beyond prevention, the UAE Cyber Security Council underlined the importance of timely reporting in addressing phishing emails cyberattacks. Users who identify suspicious messages are encouraged to report them immediately rather than ignore or delete them. Early reporting allows security teams to analyse patterns, identify ongoing campaigns, and take steps to block further attacks. In large-scale phishing operations, even a single reported message can help trace and disrupt wider activity. The Council reiterated that quick action at the user level can significantly reduce the overall impact of these attacks.

Phishing Emails Cyberattacks Remain a Persistent Threat

The continued dominance of phishing emails cyberattacks reflects a broader trend in the cybersecurity landscape. While organisations invest in advanced tools and systems, attackers continue to rely on methods that require minimal technical effort but deliver consistent results. The Council noted that safety in cyberspace has become an ongoing challenge, particularly as digital communication channels expand. Email remains one of the most widely used platforms, making it a reliable target for threat actors. The warning serves as a reminder that phishing is not a declining threat. It remains active, widespread, and closely tied to how users interact with everyday digital tools.