A sophisticated cyber campaign dubbed “J-magic” has been discovered targeting enterprise-grade Juniper routers with a backdoor attack that leverages a passive monitoring agent.
The operation, first detected in September 2023, employs a variant of the cd00r backdoor that continuously scans for specific “magic packets” in TCP traffic.
Technical Implementation
The malware, masquerading as “JunoscriptService,” operates by establishing an eBPF filter on specified interfaces and ports.
Upon installation, it renames itself “[nfsiod 0]” to blend in with legitimate NFS processes.
The backdoor monitors incoming TCP traffic for five distinct predefined parameters, and when triggered by a matching “magic packet,” it initiates a secondary challenge before establishing a reverse shell.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The campaign has primarily focused on organizations using Juniper routers as VPN gateways, with approximately 50% of targeted devices serving this function.
The attackers strategically targeted semiconductor, energy, manufacturing, and IT sectors, with victims spread across multiple countries.
The operation demonstrated particular interest in devices that could serve as network crossroads, potentially enabling deeper access into corporate networks.
According to the Lumen report, what sets J-magic apart is its sophisticated operational security measures.
The malware implements a unique RSA challenge mechanism, requiring attackers to correctly respond to a five-character random string encrypted with a hardcoded public key.
This feature appears designed to prevent unauthorized actors from hijacking compromised systems, showing an evolution in tradecraft compared to earlier variants.
The campaign remained active from mid-2023 through at least mid-2024, with telemetry indicating less than 0.01% of analyzed netflow corresponding to potential compromises across 36 unique IP addresses globally.
While sharing some technical indicators with the previously known SeaSpy2 malware family, researchers maintain low confidence in direct attribution due to limited technical overlap.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar