January 23, 2025 By Ionut Ilascu
A malicious campaign has been specifically targeting Juniper edge devices, many acting as VPN gateways, with malware dubbed J-magic that starts a reverse shell only if it detects a “magic packet” in the network traffic.
The J-magic attacks appear to target organizations in the semiconductor, energy, manufacturing (marine, solar panels, heavy machinery), and IT sectors.
Challenge-protected reverse shell
The J-magic malware is a custom variant of the publicly available cd00r backdoor - a proof-of-concept that stays silent and passively monitors network traffic for a specific packet before opening a communication channel with the attacker.
According to researchers at Black Lotus Labs, Lumen’s threat research and operations arm, the J-magic campaign was active between mid-2023 and at least mid-2024 and was orchestrated for “low-detection and long-term access.”
Based on the telemetry available, the researchers say that about half of the targeted devices seemed configured as a virtual private network gateway for their organization.
