Lumen Technologies' Black Lotus Labs has uncovered a malicious campaign aimed at enterprise-grade Juniper routers named “J-magic.” The operation, which began in mid-2023, is believed to have exploited vulnerabilities in Juniper's JunoOS, with the earliest known sample uploaded to VirusTotal in September 2023.
The attack utilizes a passive agent that monitors TCP traffic for a specific “magic packet” sent by the attacker. Once this packet is detected, the agent activates a secondary challenge before establishing a reverse shell on the compromised router, granting attackers full control. With this access, threat actors can steal sensitive data or deploy malicious software.
Black Lotus Labs believes that Juniper routers running JunoOS are prime targets due to their positioning within corporate networks. Once a device is compromised, the attacker gains the ability to exfiltrate data, steal credentials, or use the device as a foothold into other internal systems.
While elements of the J-magic campaign share similarities with another known malware, SeaSpy2 (used in 2023 zero-day attacks on Barracuda mail servers), J-magic has evolved with more sophisticated operational security measures, such as the introduction of an embedded certificate to verify attackers.
Despite some overlap in technical aspects, Black Lotus Labs has not yet established a direct connection between J-magic and other malware campaigns.
The malware involved in the J-magic campaign appears to be a custom variant of cd00r, an open-source backdoor originally released in 2000. Cd00r has been used in various campaigns due to its ability to exploit vulnerabilities in networked systems. Once installed, the malware listens for a “magic packet” and, if conditions are met, creates a reverse shell connection to an attacker’s machine. The attacker then sends a cryptographically protected challenge to authenticate and gain further access to the system.
Black Lotus Labs’ telemetry indicates that J-magic has affected a wide range of sectors, including energy, semiconductor manufacturing, and IT, with a notable focus on companies in critical infrastructure. In particular, approximately 50% of the compromised routers were configured as VPN gateways, enabling remote access to the compromised networks.
