Malware

JustAskJacky

JustAskJacky is a family of malicious NodeJS applications that masquerade as helpful AI tools or utility applications while performing undisclosed malicious activity in the background. It is described as a trojan horse because the lure application typically retains the advertised functionality and can return results to the user, while also conducting reconnaissance and executing arbitrary commands in memory on the victim system. Red Canary tracks this malware family under multiple lure names, including AllManualsReader, AskBetty, and HowManualReader. JustAskJacky is typically introduced through seemingly legitimate online installers for AI or utility tools. For persistence, installers create scheduled tasks using schtasks.exe in the AppData directory. The malware communicates with remote command-and-control infrastructure using DGA-like domains. Observed samples have also shown evidence of cryptomining code being delivered and executed in memory. Detection opportunities specifically mentioned include monitoring for scheduled task creation in AppData via schtasks.exe. The content states that JustAskJacky was the most prevalent threat observed in October 2025.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1583Acquire InfrastructureEvidence1

These campaigns typically employ malicious ads that direct users to sites hosting the applications.

Stealth

1 technique

T1036MasqueradingEvidence2

TamperedChef-style malware is trojanized productivity software, such as PDF editors or calendars, that deliver malicious payloads.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Nov 24, 2025

⚡ Weekly Recap: Fortinet Exploit, Chrome 0-Day, BadIIS Malware, Record DDoS, SaaS Breach & More

JustAskJacky is a family of malicious NodeJS applications that disguise themselves as AI or utility tools, performing reconnaissance and executing arbitrary commands in memory.

red canary blogNews

Nov 20, 2025

Intelligence Insights: October 2025

Family of malicious NodeJS applications that masquerade as helpful AI or utility tools while conducting reconnaissance and executing arbitrary commands in memory in the background. It establishes persistence via scheduled tasks and can receive and execute arbitrary JavaScript from its C2, including cryptomining payloads.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.