Remove Jhone Trojan From Your PC

Remove Jhone Trojan From Your PC

Jhone Trojan imageWhat is Jhone? How to remove Jhone Trojan from your PC or Mac?

The Jhone Trojan is a dangerous Trojan that takes advantage of multiple cloud infrastructure to operate. It is being launched in a targeted attack campaign against targets in Middle Eastern countries. It features advanced infection capabilities and can cause a lot of damage to affected hosts. Read our article to learn what the Jhone Trojan is capable of and to read instructions on safely removing active infection.

Threat Summary

NameJhone Trojan
TypeTrojan Malware
Short DescriptionA very dangerous banking Trojan capable of overtaking control of the machines.
SymptomsThe victims may notice performance issues and can get infected with other malware.
Distribution MethodMainly infected documents and files
Detection Tool See If Your System Has Been Affected by Jhone Trojan


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Jhone Trojan.

The Jhone Trojan is a dangerous malicious infection which is currently spread in the Middle East and being spread by an unknown hacking group. We don’t know details about them however it is assumed that they are experienced to have created the dangerous code from scratch or based on one of the famous “bases” which can be acquired from the underground markets. The attacks are categorized as targeted — they will implement a keyboard layout check and will use network lookup in order to blacklist the cloud services that check for abuse.

The Jhone Trojan is currently set against victims located in the following countries: Egypt, Iraq, Libya, Algeria, Morocco, Oman, Tunisia, Syria, Yemen, UAE, Kuwait, Bahrain and Lebanon. The start of the attack campaign has been traced back to November 2019.

The main delivery technique used at the moment by the hacking group is a dangerous document files — popular examples includes spreadsheets, text files, databases and presentations. They include malicious macros that will request the execution of the built-in code by the users — the prompt will ask for this to be done by stating that this is required in order to access the contents.

The sending of the documents depend on the use of clever phishing campaigns — an example file will be called Urgent.docx and it may include contents in English or Arabic. The files are hosted on Google Drive in order to avoid blacklisting — the uploading of such data to this cloud will not raise suspicion that they may be actually malware.

Jhone Trojan infections are caused mainly by Microsoft Office documents however there are several different types which are used to deliver the threat. The first ones which which were spread in the first campaigns carried the Urgent.docx names and were written in both English and Arabic. They require the enabling of the built-in macros in order to view the contained within message. However as this copies other ransomware the hackers behind the Jhone Trojan prepared another set of documents — fb.docx which allegedly contain hijacked Facebook usernames and passwords. Another tactic used by the hackers is to impersonate an United Arab Emirates organization and send fake documents branded as important company notifications.

Related: Iranian Hacker Groups and Their Tactics: How They Intrude Into Our Computers

The actual Jhone Trojan is written in Python which allows the hackers to easily modify its core at will by both changing the main code, as well as allowing external components to be run.

Infections with this malware will begin by following a built-in sequence of malware commands. One of the first actions which are started will be to harvest sensitive data from the computer. This includes a detailed report on the installed hardware components including the installed hard drives (and their serial numbers), details about the operating system in use and etc. The hijacked data will then be relayed using a Trojan module — it will establish a secure connection to a special hacker-controlled server and allow the criminals to receive the information. The commands are checked via a special Twitter profile which is used to relay the commands. During the information gathering phase an unique ID will be created for each affected computer, this number will be relayed to the criminals as well .

Related: Large List of Hijacked IoT Data Leaked On The Internet

A distinct part of the Jhone Trojan infection is the data theft mechanism which is used to hijack sensitive data and files from the computers. Instead of using the network connection used during the information gathering the hackers have implemented a different mechanism — the uploading of the data to cloud service hosting providers — ImgBB, Google Drive and Forms. This is done by following a scheme — screenshots are uploaded to ImgBB, binaries to Drive and the actual commands are executed from Forms data.

At the moment some of the Twitter profiles used by the hackers to command the Jhone Trojan are blocked. We anticipate that the code will soon be updated with new instructions which will reactivate the attack campaign.

How to Remove Jhone Trojan

In order to fully remove Jhone from your computer system, we recommend that you follow the removal instructions underneath this article. If the first two manual removal steps do not seem to work and you still see Jhone or programs, related to it, we suggest what most security experts advise – to download and run a scan of your comptuer with a reputable anti-malware program. Downloading this software will not only save you some time, but will remove all of Jhone files and programs related to it and will protect your computer against such intrusive apps and malware in the future.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share