JustAskJacky
Using several names and lures, JustAskJacky is a working AI chatbot with hidden functionality and mysterious goals.
#2
Overall Rank
7.4%
Customers Affected
JustAskJacky appeared on the scene halfway through 2025, though Red Canary found related samples going back to December 2024 under other lure names. This software is typically introduced as a seemingly legitimate AI tool or utility application that has additional functionality allowing it to remotely execute encoded commands. Like a true trojan horse, JustAskJacky is deceptive in the sense it actually does what it claims to do; users can interact with the downloaded AI tool/utility, and it will return results.
Despite its remote execution functionality, Red Canary has not observed follow-on activity to the initial installer aside from several reconnaissance commands, which likely allow the adversaries to choose victims for the next stages of the intrusion chain.
JustAskJacky is deceptive in the sense it actually does what it claims to do; users can interact with the downloaded AI tool, and it will return results.
JustAskJacky was one of several trojans using Node.js that made headlines during June and July 2025, leading to some confusion with another threat in our top 10: Tampered Chef. Our malware analysis identified these as distinct threats because we found no overlap in JavaScript files or file signers.
Jacky introduces some new friends
Over the past year, JustAskJacky expanded to include some AI helper friends (Betty, Bobby, and Gilbert) as well as offered help to those looking for product manuals online. In fact, we’ve been tracking over a dozen different lure names under the family of malware that we collectively call JustAskJacky. PDF and manual filename lures are not exclusive to JustAskJacky, nor is the use of Node.js for malicious code. This can complicate distinguishing these threats without doing a little digging into the malicious code.
Filenames for JustAskJacky variants
AI “helper” theme
GoAskBobby.exeCheckWithGilbert.exeJustAskJacky.exeAskBettyHow.exe
Manuals theme
allmanualsreader.exebestusermanual.exemanualshq.exemanualreaderpro.exeopenmymanual.exe
Misc.
classicsudoku.exeTurbofixpdf.exe
Due to the nature of the lure names and the distribution method, we assess JustAskJacky to be a threat of opportunity. We saw it widespread across industries in our customer base.
Malware details
The initial file download is a signed InnoSetup installer and regardless of the actual lure name or purported functionality, the code has the same behavior:
node.exeattempts to execute a JavaScript file in an unusual directory. The directory often matches the installer lure name, and the JS file uses a GUID-like filename.- For example:
cmd.exe node.exe C:\Users\username\AppData\Local\Programs\ManualReaderPro\24c92c24-5c4e-451a-8885-9509dc69ab38.js
- For example:
- The installer creates a scheduled task for persistence by importing a task XML file that will execute
node.exewith the JavaScript file as a parameter.- For example:
cmd.exe /C schtasks /Create /tn "24c92c24-5c4e-451a-8885-9509dc69ab38" /xml "C:\users\username\AppData\Local\Temp\is-ULLR6.tmp\task.xml"
- For example:
node.exequeries the MachineGUID and OS version of the system and sends that information to a remote command and control (C2) framework. The C2 infrastructure is often hosted via dynamic DNS and may appear like a domain generation algorithm (DGA) domain, such asapi.cjby76nlcynrc4jvrb[.]com.- The GUID-named JS file is obfuscated with Obfuscater.io, a JavaScript obfuscator that allows people to upload code for obfuscation on their website.
- After deobfuscation, the code reveals it can receive Base64 and XOR-encoded JavaScript from its heartbeat call (i.e., regularly intervalled network connections intended as a check in) and execute it via eval(). This executed code would not be written to disk.
Signed malware
JustAskJacky’s malicious functionality is particularly tricky to identify because it uses signed certificates, which often give tools an air of legitimacy. However, signed malware is becoming so common that volunteer efforts like Cert Central have started to crowdsource reporting these abuses. Evaluating the legitimacy of a signer can be difficult, but a few key questions to answer during analysis include the following.
Has this certificate been used to sign multiple unrelated files and do those files have multiple names despite advertising the same functionality?
Some adversaries will use the same certificate to sign malware files that use a variety of file lure names. (e.g., something like BestPDF, LoveSudoku, or FreeVideoGame). The corollary is also true: If there are a ton of BestPDF.exe files with multiple unrelated signer names, it is likely the adversary using a new certificate and the same filename lure.
Do the signer name (generally a company name) and the filenames make sense together? Is the signer’s name overly vague?
There is sometimes a mismatch between the company name and the expected functionality of the file. (e.g., filename: FreePDF.exe, company name: Tina’s Turtles LLC).
If you search the signer name and get multiple results because it is so generic and none of them seem like they would have made this software, that is a red flag. The caveat to this is that many of these SEO schemes do come with very generic websites, so this requires some analyst judgement.
How new is the certificate?
Adversaries will often try to obtain new certificates, sometimes under other organization names, when their certificates get revoked. Whereas legitimate companies often have years old certificates with a consistent signer name, newer certificates could indicate malicious activity.
While the answers to these questions likely won’t confirm malicious intent, combined with your organization’s risk tolerance and the context you have from the threat’s telemetry, signer information can help tip the scales on how much further you dig in.
Several installer code-signing certificates with valid dates were revoked after JustAskJacky distribution.
Revoked installer code-signing certificates
| Issuer | Subject | Valid from | Valid to | Thumbprint |
| Sectigo Public Code Signing CA EV R36 | App Interplace LLC | 2025/01/22 | 2028/01/22 | 3ebbb02a48f7db26b708f5e535e8dce8eff2caea |
| Sectigo Public Code Signing CA EV R36 | Pixel Catalyst Media LLC | 2025/01/17 | 2028/01/17 | 2d4129109dbf921db0bc48d41da32da0ff1bf024 |
| Sectigo Public Code Signing CA EV R36 | Method Marketing Media LLC | 2025/06/25 | 2026/06/25 | 5b036dad04db22e8560716deabc59a5e524b6be2 |
| Sectigo Public Code Signing CA EV R36 | Fusion Core Reach LLC | 2025/03/14 | 2026/03/14 | 2b0a08ccefd7355207780ee21e69b8a7fa3c0750 |
| Sectigo Public Code Signing CA EV R36 | DataX Engine LLC | 2024/07/19 | 2025/07/19 | 2df81ab14a5794f22722983ab3d8e8d7d643908b |
Threats like JustAskJacky can be hard to mitigate. They don’t show their true nature right away, making them hard to distinguish from benign freeware installations. The best defense, though most challenging, is restricting application installs and downloads and providing users with known safe software for their job function.
Throughout the year we consistently saw JustAskJacky utilizing a tasks.xml file to schedule a task which provides a detection opportunity:
command_includes ('appdata\local')
&&
process == 'cmd.exe'
&&
child_process_command_includes ('schtasks' || '/create' || 'appdata\local' || '/xml')
JustAskJacky also utilizes unique naming structures that can be identified during detection and response.
For example, it uses a JavaScript file with a GUID-like name as the persistent beaconing file, and C2 domains following the pattern of api[.]18 randomly generated alphanumeric characters[.]com, such as:
api[.]k2ioeasm874fnacr9x[.]comapi[.]j6vmldsufhwx8zn69z[.]comapi[.]vtqgo0729ilnmyxs9q[.]comapi[.]nk99s1s3zkutjlyodx[.]comapi[.]78kwijczjz0mcig0f0[.]com