The Black Lotus Labs team at Lumen Technologies has revealed a sophisticated backdoor campaign, dubbed “J-Magic,” targeting enterprise-grade Juniper routers. According to their report, this campaign uses a passive agent to exploit vulnerabilities, gaining long-term and low-detection access to affected devices.
The J-Magic operation relies on a tailored variant of the open-source cd00r backdoor, using “magic packets” to establish control. As Black Lotus Labs explains, “This backdoor is opened by a passive agent that continuously monitors for a ‘magic packet,’ sent by the attacker in TCP traffic.” Once the packet is detected, a reverse shell is created, allowing attackers to execute arbitrary commands, steal data, or deploy additional malware.
The campaign was first identified in September 2023, with activity extending through mid-2024. The attackers have primarily targeted routers acting as VPN gateways within organizations spanning semiconductor, energy, manufacturing, and IT sectors.
Unlike conventional malware, J-Magic exclusively resides in memory, making detection difficult. Black Lotus Labs emphasizes, “Malware tailored for routers is designed to take advantage of long uptime and live exclusively in-memory, allowing for low-detection and long-term access.”
The backdoor employs five distinct “magic packet” conditions to trigger its reverse shell function. For example, one condition requires a specific sequence in the TCP header and a destination port of 443. Upon activation, the malware sends an encrypted challenge string using a hardcoded RSA key. If the correct response is received, a command shell is established.
The report underscores that Juniper routers are attractive targets due to their placement at the network edge and their role as VPN gateways. “Routers on the edge of the corporate network or serving as the VPN gateway… represent a crossroads, opening avenues to the rest of a corporate network,” notes the report.
Black Lotus Labs’ telemetry identified 36 unique IP addresses impacted globally, with notable targets in the construction, energy, and telecommunications industries. The attackers also demonstrated advanced operational security, masking their activities and utilizing public VPN and proxy services to conceal their infrastructure.
While some technical similarities exist between J-Magic and SeaSpy malware, Black Lotus Labs states, “We do not have enough data points to link these two campaigns with high confidence.” The embedded RSA challenge observed in J-Magic marks an evolution in tradecraft, differentiating it from previous campaigns.
The J-Magic campaign reflects a broader trend of leveraging passive agent-based malware like Symbiote and BPFdoor. Black Lotus Labs warns that “the Magic Packet malware is becoming an increasing trend in use against perimeter devices,” signaling growing challenges for defenders.
For the full report and technical details, visit Lumen Technologies’ official blog.
Related Posts:
- AVrecon RAT hidden in SOHO routers infected 70,000 devices in 20 countries in two years
- Unauthenticated Attackers Can Exploit Junos Vulnerabilities (CVE-2025-21598 & CVE-2025-21599)
- Chinese Hackers Deploy VersaMem Web Shell via Versa Director Zero-Day (CVE-2024-39717)
- “TheMoon” Malware Returns: Thousands of Routers Compromised
