APT / THREAT GROUP

Janicab

3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to Patrick Wardle, this malware persists a python script as a cron job.

Steps:

1. Python installer first saves any existing cron jobs into a temporary file named '/tmp/dump'.

2. Appends its new job to this file.

3. Once the new cron job has been added 'python (~/.t/runner.pyc)' runs every minute.

Threat Analysis

Janicab is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases3

Also Known As

Janicabosx.janicabvbs.janicab

External Intelligence

Malpedia: vbs.janicab

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.