TONEDEAF is a backdoor Trojan that uses the LinkedIn network to reach its victims. It also means that people install this infection on their computers willingly, but it is very likely that they are not aware of the fact because the installer file doesn’t look dangerous at all.

We believe that it is extremely important to employ regular system scans in order to detect TONEDEAF and other similar infections as soon as possible. Then, you will be able to remove them all at once. If manual removal is not your cup of tea, you can always terminate the infection with a legitimate antispyware tool.

Where does TONEDEAF come from?

According to extensive research, TONEDEAF was created by an Iranian threat actor APT34. The infection is distributed through a certain campaign that comes with specific features. First, as mentioned, the threat actor uses LinkedIn to deliver the malware installer. To make users think that the messages are delivered by reliable sources, these criminals masquerade as members of Cambridge University. Seeing the name of a reputable university would definitely make the victim think the message has something substantial to say.

When users receive the message via LinkedIn that tries to infect them with TONEDEAF, that message says that the sender is really busy at the moment, and the sender asks the targeted user to check the details of an Excel sheet. If the targeted user downloads the file and opens it, the backdoor gets installed on the target system.

As far as we know, APT34 uses TONEDEAF to target several industries, including energy, oil and gas, and government organizations. This means that those industries and organizations have to place importance on cybersecurity, and they have to educate their staff about it. It shouldn’t be that hard to avoid TONEDEAF and other similar threats, but there are users who always prove to be too gullible, and malware manages to find its way in.

What does TONEDEAF do?

When the malicious file enters the target system, it drops another file System.doc into the %USERPROFILE% directory. After that, it renames the file to System Manager.exe. The infection then establishes a connection with its C2 server through your bandwidth. As far as the research shows, the infection’s server is located at Of course, the infected users are not aware of the connection, and they wouldn’t be able to trace it back to the C2 unless they are security experts. But here we need security experts to help us deal with this infection because it is serious enough.

Now, what happens when TONEDEAF is all set up? Clearly, since the infection is a backdoor, it provides access to the affected system. Such infection often has wide functionality, and the things it does depends on the people who control it over the C2.  For instance, we know that this infection can collect system information; it can download and upload files, and execute shell commands.

Since it can download and upload files, it means that all the information TONEDEAF collects on your computer can be transferred over to its C2. Then, it can download more files onto the affected computer, depending on what its owners want it to do. Thus, it wouldn’t be surprising if this backdoor infected the compromised computer or even the entire network with other malware.

How do I remove TONEDEAF?

Keeping in mind how dangerous backdoors are, you need to remove TONEDEAF immediately. Of course, it might not be evident that this infection is present, so regular system scans with security tools is a must, especially if you are managing a big computer network at an organization.

It is possible to remove TONEDEAF manually, but it is not recommended unless you are an experienced computer user. If you are not the tech person at your company, perhaps you should leave it either to a professional or to an automated malware removal tool.

Investing in a security tool is always a good idea because you would also protect your system from similar intruders. However, do not forget that the way you respond to social engineering and spam messages is also important. One second of negligence could result in something more dangerous than TONEDEAF, so always be wary of unfamiliar content.

Manual TONEDEAF Removal

  1. Press Win+R and type %USERPROFILE%. Click OK.
  2. Go to .templates.
  3. Delete the System.doc and System Manager.exe files.
  4. Remove the ERFT-Details.xls from the Downloads directory.
  5. Scan your system with SpyHunter. 100% FREE spyware scan and
    tested removal of TONEDEAF*

Leave a Comment

Enter the numbers in the box to the right *