In a significant discovery, Black Lotus Labs at Lumen Technologies has identified a sophisticated backdoor malware targeting enterprise-grade Juniper routers.
Dubbed “J-Magic,” the campaign leverages a passive agent to monitor network traffic for predefined “magic packets” and exploit them.
These signals trigger the malware to establish a reverse shell, granting attackers access to the affected routers for data theft, espionage, or deployment of malicious payloads.
The operation appears to target Junos OS, a FreeBSD-based operating system commonly used in enterprise-grade networking equipment. The campaign’s earliest traces date back to September 2023, with activity extending through mid-2024.
Targeting of Enterprise Routers
Unlike typical consumer or SOHO (small office/home office) router attacks, J-Magic represents a rare intrusion into enterprise network infrastructure.
Enterprise routers make attractive targets due to their minimal host-based monitoring, long uptimes, and ability to maintain malware in memory without detection.
These devices, often used as VPN gateways or edge routers, provide attackers with a pivotal point to access broader network ecosystems.
The J-Magic campaign impacted industries spanning semiconductor manufacturing, energy, IT, and heavy machinery, underscoring its diverse target base.
Notably, telemetry revealed that about half of the affected routers were configured as VPN gatewayskey devices enabling attackers to exploit credentials and lateral access within organizations.
A Variant of cd00r Malware
J-Magic employs a modified version of “cd00r,” an open-source malware initially developed to explore stealth backdoor techniques.
The malware operates without creating network connections until instructed, using an in-memory-only approach that favors detection evasion. Key technical features include:
- Monitoring TCP traffic for specific magic packet conditions through an extended Berkeley Packet Filter (eBPF).
- Spawning a reverse shell after detecting predefined parameters, such as specific TCP port offsets and string sequences.
- Incorporating an encrypted RSA-based challenge-response mechanism to prevent unauthorized access.
While there are similarities to the “SeaSpy” malware family, such as overlapping function names and a shared use of cd00r, J-Magic’s unique certificate-based challenge-response suggests advancements in operational security.
Black Lotus Labs has attributed the campaign to an unknown actor, with no high-confidence links to previously documented groups.
The campaign exhibited a notable geographic distribution, targeting Juniper routers across Europe, the Americas, and Southeast Asia.
Data analysis pointed to two primary victim clusters: routers acting as VPN gateways and those managed via exposed NETCONF configurations.
J-Magic operators utilized rented VPS (Virtual Private Server) infrastructure with self-signed certificates, allowing callbacks from infected devices to controlled command-and-control servers.
The J-Magic campaign demonstrates the increasing sophistication of adversaries in targeting enterprise-grade networking devices.
Juniper routers, often overlooked in threat landscapes, are becoming key vectors due to their critical role in corporate infrastructure.
While the campaign shares characteristics with other malware families, it operates as a distinct and evolving threat.
As attackers continue refining their techniques, enterprises must prioritize the security of networking equipment, particularly perimeter devices like routers and VPN gateways.
Enhanced monitoring, proactive threat hunting, and securing configurations will be essential to counter future malicious campaigns of this nature.
