{ "Event": { "analysis": "1", "date": "2026-04-14", "extends_uuid": "", "info": "[Threat Intel] New ransomware targets Turkey via Adwind RAT", "protected": false, "publish_timestamp": "1776682911", "published": true, "threat_level_id": "2", "timestamp": "1776682911", "uuid": "271ffeb6-28ce-46fe-8819-f515c276a358", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#b2a633", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#00f752", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Turkey\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"AdWind\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776308420", "to_ids": false, "type": "link", "uuid": "8c311523-6d5f-405c-ab07-0c6470fcaeb4", "value": "https://www.acronis.com/en/tru/posts/new-janaware-ransomware-targets-turkey-via-adwind-rat/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776308420", "to_ids": false, "type": "text", "uuid": "8e4fb3c1-048a-4fa7-beb4-b53bab8e4321", "value": "A threat cluster has been identified leveraging a customized Adwind (Java RAT) variant with polymorphic characteristics to deliver JanaWare ransomware. The campaign specifically targets Turkish users through geofencing mechanisms that check system locale and external IP geolocation. Active since at least 2020, the operation primarily affects home users and small to medium-sized businesses. Initial access occurs via phishing emails with malicious Java archives distributed through Google Drive links. The ransomware employs AES encryption and communicates over Tor networks, demanding modest ransoms between $200-$400. The malware uses multiple obfuscation techniques including Stringer and Allatori obfuscators, implements file pumping for polymorphism, and disables Windows security features before encryption. Victims are instructed to contact attackers through qTox or dedicated Tor onion sites." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776308420", "to_ids": false, "type": "text", "uuid": "75a1eb7e-1694-40e7-a7ac-a2db63196019", "value": "Name: New ransomware targets Turkey via Adwind RAT\nAuthor: AlienVault\nAdversary: \nTags: [\"adwind\", \"phishing campaign\", \"janaware\"]\nTgtd countries: []\nMlwr families: [\"JanaWare\", \"jRAT - S0283\", \"JSocket\", \"AlienSpy\", \"Frutas\", \"Sockrat\", \"Unrecom\", \"jFrutas\", \"Adwind\", \"jBiFrost\", \"Trojan.Maljava\", \"Java RAT\"]\nAttack_ids: [\"T1036.005\", \"T1489\", \"T1204.002\", \"T1566.001\", \"T1082\", \"T1140\", \"T1112\", \"T1083\", \"T1059.001\", \"T1547.001\", \"T1048\", \"T1562.001\", \"T1027\", \"T1486\", \"T1573\", \"T1027.002\", \"T1071.001\", \"T1105\", \"T1490\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776654507", "to_ids": true, "type": "md5", "uuid": "41f93708-1c59-410a-8fd5-11404dda675c", "value": "b2d5bbf7746c2cb87d5505ced8d6c4c6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656994", "to_ids": true, "type": "url", "uuid": "30865f69-7b64-47cd-9693-0d0f7bb91a94", "value": "http://elementsplugin.duckdns.org:49152", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776657015", "to_ids": true, "type": "url", "uuid": "72496645-997b-4f1b-b2f8-40ed5331daaf", "value": "http://elementsplugin.duckdns.org:49153", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776657036", "to_ids": true, "type": "hostname", "uuid": "d2d413c5-4e8c-4239-b347-ef73bcc2bbe3", "value": "elementsplugin.duckdns.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776657057", "to_ids": true, "type": "ip-dst", "uuid": "d3218231-2256-4061-a04d-8575561f0458", "value": "151.243.109.115", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776657079", "uuid": "aedcd1b2-7b91-4f75-9174-eb5b4da073dd", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776657079", "to_ids": true, "type": "md5", "uuid": "a2877e05-fa9c-4f42-9218-58d288a266b1", "value": "4f0444e11633a331eddb0deeec17fd69", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776654505", "to_ids": true, "type": "sha1", "uuid": "9f661f0d-d7ed-4b31-9130-9ebe6f6e2572", "value": "fe9cc76ea60473d615b5858d5b511b2c9d22bce5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776654505", "to_ids": true, "type": "sha256", "uuid": "bdcaee08-fcdc-43e6-a1f3-0b994fedf540", "value": "fb5fe19c28f8f44026b0c46939068480f9f005b252961ea782e1ce59b8f5dc59", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776654365", "to_ids": true, "type": "ssdeep", "uuid": "d039e47e-1dca-4791-b622-e49ffb1677a8", "value": "6144:a1u0Vxj4ObWtgu7FXx/2jyD+UkVbQaaKzj7XbTiADYjVYRUcE5tAUn6O6:Onxj4OSgYFB/2WSh2KzHqADYjKR3O6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776654365", "to_ids": false, "type": "size-in-bytes", "uuid": "c9b39baf-fb33-4a4b-b30f-2782e41992ba", "value": "413015" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776654365", "to_ids": true, "type": "vhash", "uuid": "df01c0f9-5985-4abc-be11-05ca2a45a874", "value": "745bd820641b497de2c9635d96e7f271" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776654365", "to_ids": true, "type": "filename", "uuid": "30e6e522-fc00-4424-ab2b-d0f18a55107d", "value": "PAZARTES\u0130 G\u00dcNCEL S\u0130PAR\u0130\u015e L\u0130STES\u0130.jar" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 19/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776654365", "to_ids": false, "type": "text", "uuid": "55174f69-9d53-4f20-ac54-85a5d9e909db", "value": "Type Description: JAR\nMicrosoft: None\nVT Total Detection:21/66\nFirst Submission:2025-11-17T07:10:33.000000+00:00\nLast Submission:2025-11-19T11:01:11.000000+00:00" } ] } ] } }