Back to Intelligence

ASO RAT, Adwind/JanaWare, and Warlock LockBit: Multi-Vector Threat Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
April 15, 2026
6 min read

Date: 2026-04-16
Source: AlienVault OTX (Open Threat Exchange)
TLP: White
Author: Security Arsenal Research Team

Threat Summary

Recent OTX pulses indicate a surge in diverse threat activities ranging from mobile surveillance to sophisticated enterprise ransomware. We are tracking three distinct but operationally active campaigns:

  1. ASO RAT: A targeted Android surveillance campaign leveraging Arabic-language lures to infect Syrian government and media entities using DDNS infrastructure.
  2. Adwind/JanaWare: A polymorphic Java RAT variant delivering JanaWare ransomware, specifically geofenced to target Turkish users and SMBs.
  3. Warlock (LockBit Affiliate): An evolution of the LockBit threat landscape involving the "Warlock" group utilizing BYOVD (Bring Your Own Vulnerable Driver) attacks via the NSec driver to deploy ransomware across US, German, and Russian sectors.

The collective attack surface includes mobile endpoints (via trojanized apps), traditional desktops (via Java-based payloads), and critical infrastructure (via kernel-level exploits).

Threat Actor / Malware Profile

ASO RAT

  • Type: Android Remote Access Trojan
  • Distribution: Disguised as PDF readers and Syrian government applications.
  • Capabilities: SMS interception, camera access, GPS tracking, call logging, file exfiltration, DDoS.
  • C2 Infrastructure: Utilizes Dynamic DNS (DDNS) aso.ddns.net resolving to Frankfurt-based infrastructure (45.74.4.179, 88.3.137.237).

Adwind / JanaWare

  • Type: Java RAT / Ransomware
  • Distribution: Phishing campaigns with geofencing checks (System Locale/IP).
  • Capabilities: Polymorphic code execution, ransomware payload delivery (JanaWare).
  • C2 Infrastructure: elementsplugin.duckdns.org (ports 49152, 49153).

Warlock (LockBit)

  • Type: Ransomware-as-a-Service (RaaS) Operator
  • TTPs: Web shells, tunneling, BYOVD (exploiting NSec driver), usage of TightVNC and Yuze for lateral movement.
  • Targeting: Technology, Manufacturing, Government, Education (US, DE, RU).

IOC Analysis

The provided IOCs span multiple vectors requiring different operational postures:

  • Network Indicators (Domains/IPs):
    • aso.ddns.net (ASO RAT) and elementsplugin.duckdns.org (Adwind) represent dynamic DNS resolution commonly used by actors to avoid static IP blocking. SOC teams should implement DNS Sinkholing for these domains immediately.
    • IPs 45.74.4.179 and 88.3.137.237 should be blocked at the perimeter.
  • File Hashes (MD5/SHA1/SHA256):
    • A mix of MD5 (ASO, Adwind) and SHA256 (Warlock) hashes are provided.
    • Operationalization: Upload hashes to EDR quarantine lists. Note that Adwind is polymorphic; hash-based detection may have low efficacy for new samples, making behavioral analysis critical.
  • Vulnerabilities (CVEs):
    • CVE-2023-44487 (HTTP/2 Rapid Reset) and CVE-2025-23419 are referenced in the ASO RAT context, likely related to C2 infrastructure setup or DDoS capabilities, rather than client-side exploitation.

Detection Engineering

Sigma Rules

YAML
title: Potential Adwind RAT Java Execution
id: 8c7d8a9e-1f0b-4d3e-9a2b-8c6d7e5f4a3b
description: Detects suspicious Java processes spawning command shells, a common behavior of Adwind RAT and JanaWare delivery mechanisms.
status: experimental
date: 2026/04/16
author: Security Arsenal
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_java:
    Image|endswith:
      - '\java.exe'
      - '\javaw.exe'
  selection_cli:
    CommandLine|contains:
      - 'cmd.exe'
      - 'powershell.exe'
      - '/c'
  condition: selection_java and selection_cli
falsepositives:
  - Legitimate Java developers running build scripts
level: high
---
title: Warlock BYOVD NSec Driver Load
id: 9e8d7a6c-2e1a-5f4b-0b3c-9d8e7f6a5b4c
description: Detects the loading of the NSec.sys driver, a known vulnerable driver exploited by the Warlock ransomware group for BYOVD attacks to terminate security processes.
status: experimental
date: 2026/04/16
author: Security Arsenal
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: driver_load
  product: windows
detection:
  selection:
    LoadedImage|contains: 'nssec.sys'
  condition: selection
falsepositives:
  - Legitimate use of specific security hardware (rare)
level: critical
---
title: TightVNC Execution in Suspicious Context
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects execution of TightVNC (tvnserver.exe) from uncommon paths, used by Warlock actors for lateral movement and persistence.
status: experimental
date: 2026/04/16
author: Security Arsenal
tags:
  - attack.lateral_movement
  - attack.t1021.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_image:
    Image|endswith:
      - '\tvnserver.exe'
      - '\tvnviewer.exe'
  exclusion_path:
    CommandLine|contains:
      - 'C:\Program Files\'
      - 'C:\Program Files (x86)\'
  condition: selection_image and not exclusion_path
falsepositives:
  - User-installed portable apps in non-standard directories
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Adwind C2 Domains and Java Activity
let AdwindDomains = dynamic(["elementsplugin.duckdns.org", "aso.ddns.net"]);
DeviceNetworkEvents
| where RemoteUrl in (AdwindDomains) or RemoteUrl has "duckdns.org"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| union (
    DeviceProcessEvents
    | where FileName in~ ("java.exe", "javaw.exe") 
    | where ProcessCommandLine has "cmd" or ProcessCommandLine has "powershell"
    | project Timestamp, DeviceName, FileName, ProcessCommandLine
)
| sort by Timestamp desc

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for ASO RAT, Adwind, and Warlock
# Requires Admin Privileges for file system scans

$TargetHashes = @(
    "31514358bf684a1e466a9e8069c11031", # ASO RAT
    "b3e706ba673cfeb9d205fb97b0ac624c", # ASO RAT
    "4f0444e11633a331eddb0deeec17fd69", # Adwind/JanaWare
    "b2d5bbf7746c2cb87d5505ced8d6c4c6", # Adwind/JanaWare
    "206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261", # Warlock (SHA256)
    "34b2a6c334813adb2cc70f5bd666c4afbdc4a6d8a58cc1c7a902b13bbd2381f4"  # Warlock (SHA256)
)

$SuspiciousProcesses = @("tvnserver.exe", "tvnviewer.exe", "yuze.exe")
$DriverPath = "C:\Windows\System32\drivers\nssec.sys"

Write-Host "[+] Starting IOC Hunt..." -ForegroundColor Cyan

# Check for Suspicious Processes
Write-Host "[ Checking for Suspicious Processes (Warlock Toolset) ]" -ForegroundColor Yellow
Get-Process | Where-Object { $SuspiciousProcesses -contains $_.ProcessName } | Select-Object ProcessName, Id, Path

# Check for NSec Driver (Warlock BYOVD)
Write-Host "[ Checking for NSec Driver (Warlock BYOVD) ]" -ForegroundColor Yellow
if (Test-Path $DriverPath) {
    Write-Host "[ALERT] NSec.sys found at $DriverPath" -ForegroundColor Red
} else {
    Write-Host "[INFO] NSec.sys not found." -ForegroundColor Green
}

# Scan System Drive for File Hashes (Heuristic Scan)
# Note: Scanning full drive takes time. This checks common user paths.
Write-Host "[ Checking for Malware File Hashes ]" -ForegroundColor Yellow
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:USERPROFILE\AppData", "$env:TEMP", "C:\ProgramData")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[MATCH] Malicious file found: $($_.FullName)" -ForegroundColor Red
            }
            # Check SHA256 for Warlock samples
            $HashSHA256 = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $HashSHA256) {
                Write-Host "[MATCH] Malicious file found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Hunt Complete." -ForegroundColor Cyan


---

Response Priorities

Immediate

  • Network Blocking: Sinkhole or block all traffic to aso.ddns.net, elementsplugin.duckdns.org, and associated IPs (45.74.4.179, 88.3.137.237).
  • Driver Control: Enforce driver signing policies or block nssec.sys via endpoint protection policies to mitigate Warlock BYOVD.

24 Hours

  • Endpoint Sweep: Deploy the PowerShell script across the fleet to identify Warlock tools (TightVNC/Yuze) and the specific NSec driver.
  • Mobile Security: If operating in the target region (Syria/Turkey), push MDM policies to flag applications sideloaded outside official stores, specifically those posing as PDF readers.

1 Week

  • Java Hardening: Review and restrict Java execution policies on endpoints to prevent Adwind/JanaWare execution, particularly for users with high-risk internet exposure.
  • BYOVD Mitigation: Implement application control (AppLocker) to restrict unsigned driver loads or known vulnerable drivers.

Related Resources

Security Arsenal Incident Response
Managed SOC & MDR Services
AlertMonitor Threat Detection
From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareaso-ratadwindwarlock-ransomwarebyovdlockbit

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action