APT / THREAT GROUP
Janicab
3
aliases
Last seen:Mar 17, 2026
Intelligence Profile
According to Patrick Wardle, this malware persists a python script as a cron job.
Steps:
1. Python installer first saves any existing cron jobs into a temporary file named '/tmp/dump'.
2. Appends its new job to this file.
3. Once the new cron job has been added 'python (~/.t/runner.pyc)' runs every minute.
Threat Analysis
Janicab is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
External References
Quick Facts
TypeAPT / Threat Group
Aliases3
Also Known As
Janicabosx.janicabvbs.janicab
External Intelligence
Malpedia: vbs.janicabResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.