Danger level 7
Type: Backdoors


Lately, there has been lots of new malicious applications that were created for stealing sensitive information from government institutions, and it looks like TONEDEAF is one of them. The malware seems to be created by Iranian hackers known as APT34. Cybersecurity experts say that this time the cybercriminals found a way to gain their victims trust while contacting them through LinkedIn. To learn how the hackers tricked them into installing the malware and what the threat does once it appears on a system, you should continue reading our article. A bit below the text, we present instructions that explain how one could erase TONEDEAF manually. Nonetheless, we do not recommend using them if you are inexperienced. In such a case, it would be safer to leave this task to a reliable antimalware tool.

First, let us begin with explaining how the malware creators might make their targeted victims install TONEDEAF without even realizing it. As mentioned earlier, the hackers behind the malicious application are using LinkedIn to contact victims. The cybercriminals make it look as if they are trustworthy by pretending to be working for Cambridge University. After contacting the victim, the malware’s developers should send him a message containing a link leading to what it might seem to be a research paper. As you see, if you do not know exact Cambridge University’s websites link, the hacker’s link might look close enough. This is what the cybercriminals’ link might look like: cam-research-ac[.]com/Documents.

The hackers may also have another strategy. For example, some of the hackers’ messages might talk about a job opportunity. The last of their message might say that the person (pretending to work for Cambridge University or any other reputable institution) is very busy and that the message’s receiver can learn more details by opening a provided link. However, if a victim does so, he might receive a malicious .xls file. Provided the victim opens this .xls document, it should drop a file called System.doc in the %USERPROFILE%\.templates directory. After some time TONEDEAF should rename System.doc into System Manager.exe. Also, it is possible that instead of renaming it, the threat could drop a second file with a mentioned title, so %USERPROFILE%\.templates might contain both of these files.

It would seem once the malware gets installed, it should be able to connect to the Internet without permission as well as restart with the operating system automatically. The hackers behind TONEDEAF were noticed to be targeting Energy and Utilities, Government, and Oil and Gas industries. It is most likely that the malicious application is used for spying and gathering sensitive information. The malware could send every piece of information that gets recorded to the server it ought to communicate with. Besides receiving stolen sensitive data, hackers could also use this connection to make malware perform other tasks. Usually, backdoor threats can also download other malware on a system or even interrupt a victim's work by activating a device the sleep mode, deleting files from a computer, and so on. However, so far it looks like the cybercriminals behind TONEDEAF are only interested in obtaining valuable information.

Since it can work silently without the user noticing anything, TONEDEAF can stay on an infected device for long. Especially if its owner does not suspect anything and does not check for such malware. Obviously, the longer the threat stays on, the more sensitive data it could be recording for cybercriminals. Therefore, it is vital to get rid of it as soon as possible. Also, to avoid such malicious applications in the future, it is crucial to strengthen the system. Plus, in this case, targeted companies should educate their employees so they could recognize and avoid such attacks.

The instructions below show how it might be possible to delete TONEDEAF. There is a possibility that completing the instructions may not eliminate the threat because it could have other versions that may drop more files or place data in different locations. Thus, probably the safest option in this situation is to use a reliable antimalware tool. Of course, if you have technicians that can deal with such malware, you should leave this task to them.


  1. Click Ctrl+Alt+Delete.
  2. Choose Task Manager and select Processes.
  3. Find a process belonging to the threat.
  4. Mark it and click End Task.
  5. Exit Task Manager.
  6. Click Win+E.
  7. Find these paths:
  8. Locate the malicious .xls file (e.g., ERFT-Details.xls), right-click it, and select Delete.
  9. Find this location: %USERPROFILE%\.templates
  10. Look for files called System.doc and System Manager.exe, right-click them, and select Delete.
  11. Exit File Explorer.
  12. Empty Recycle Bin.
  13. Restart the computer.
Download Spyware Removal Tool to Remove* TONEDEAF
  • Quick & tested solution for TONEDEAF removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.