Researchers at Black Lotus Labs have uncovered a targeted malware campaign that exploits enterprise-grade Juniper routers running the FreeBSD-based Junos OS.
Named “J-Magic,” the campaign uses specially crafted “magic packets” to trigger an in-memory backdoor on affected routers. Once activated, the backdoor can provide attackers with covert control of devices, enable data exfiltration, or allow deployment of additional malicious tools without leaving clear traces on disk.
Security teams are particularly concerned because enterprise-class Juniper routers often function as critical infrastructure within organizations. These devices typically lack extensive host-based monitoring, are rarely rebooted, and commonly run long-lived processes—conditions that make them attractive targets for stealthy, memory-resident malware.
Black Lotus Labs reports that the campaign has been active since mid-2023 and has targeted multiple industries, including semiconductors, energy, information technology, and manufacturing. Routers serving as VPN gateways were frequently affected, presenting a direct route into corporate networks and exposing remote-access paths and credentials to compromise.
How J-Magic works
J-Magic is based on a variant of cd00r, a legacy open-source backdoor concept that originated around 2000. While cd00r began as an experiment in invisible backdoors, attackers have evolved the idea into a sophisticated, conditional activation framework. The malware remains dormant until it detects specific, predefined characteristics in incoming TCP traffic, after which it proceeds through a challenge-response authentication and can open a reverse shell.
Black Lotus Labs summarizes the J-Magic workflow in clear stages:
- Passive packet monitoring: A lightweight agent captures inbound TCP traffic using packet capture functionality implemented through eBPF and extended Berkeley Packet Filters. The agent operates passively to avoid drawing attention.
- Magic packet triggers: Attackers embed one of several predefined signatures—known as magic packets—into TCP payloads or specific header fields. Any matching condition can activate the backdoor.
- Challenge-response authentication: Upon activation, the backdoor issues an encrypted challenge using a hardcoded RSA public key. The attacker must return a correct response to obtain an interactive shell.
- Reverse shell and post-exploitation: After successful authentication, the attacker can establish a reverse shell to execute commands, transfer data, or pivot deeper into the environment.
To evade detection, the malicious process disguises itself with a name resembling legitimate Junos processes—appearing as “[nfsiod 0]” in process listings—making it less likely to attract the attention of administrators inspecting running processes.
J-Magic inspects several details in TCP traffic to identify an activation event: specific byte sequences in TCP headers, source and destination IP addresses and ports, and patterns within payload data. If any one of the configured conditions is met, the backdoor performs the challenge handshake and attempts to connect back to the attacker-specified IP address.
Although J-Magic shares tradecraft similarities with a previous campaign known as SeaSpy—particularly in the use of cd00r-style approaches and magic-packet activation—Black Lotus Labs cautions against a definitive attribution. Notable differences, such as an embedded RSA certificate challenge in J-Magic, are absent from SeaSpy samples, indicating distinct developments or actors.
The campaign highlights a broader trend among threat actors toward passive, memory-resident backdoors that avoid traditional disk-based artifacts. These techniques resemble other advanced backdoors like BPFdoor and Symbiote, which leverage in-memory persistence and kernel-level packet inspection to remain stealthy.
Why Juniper routers are valuable targets
Black Lotus Labs identified J-Magic infections across 36 unique public IP addresses worldwide. Nearly half of the compromised routers were confirmed to act as VPN gateways, positioning attackers to intercept remote-access traffic, harvest credentials, or establish persistent footholds in corporate networks.
Victim organizations spanned multiple sectors and countries. Observed examples include:
- Construction and IT firms in the United Kingdom targeted between June and August 2024.
- A Norwegian bioengineering company that received repeated magic packets through mid-to-late 2024.
- Organizations in the energy sector, including a solar panel manufacturer, targeted for reconnaissance or compromise.
Some infected devices also had management interfaces such as NETCONF exposed, a common configuration for routers that manage large device fleets in telecoms or ISPs. That exposure suggests attackers may be aiming not only at individual enterprises but also at centralized infrastructure that can provide broad access.
Researchers noted regional differences in observed activity: European devices were more often targeted as VPN gateways, while South American routers—frequently managed remotely—displayed signs consistent with reconnaissance and initial probing.
This campaign underscores that attackers are increasingly shifting focus from consumer-grade routers to enterprise networking equipment that provides higher value access and greater potential impact. Juniper routers occupy a specialized but critical role in many organizations’ networks, making them an attractive objective for sophisticated intrusions.
Advanced techniques such as eBPF-based passive sniffing and modular cd00r-derived code mean defenders face significant detection challenges. Memory-only implants leave little on-disk evidence and can blend in with legitimate traffic and processes.
To reduce risk, organizations operating Juniper routers or similar infrastructure should adopt layered defenses: apply rigorous access controls, limit management-plane exposure, regularly update router operating systems and patches, and deploy network-level intrusion detection systems capable of identifying anomalous packet patterns or unusual session behavior. Monitoring for unexpected processes and correlating network telemetry with device configuration changes will also improve the ability to detect stealthy intrusions.
As enterprise networks grow more complex, campaigns like J-Magic demonstrate how attackers refine tactics to evade conventional defenses while targeting strategic network assets. Continued attention to device hardening, timely patching, and advanced network monitoring is essential to mitigate the evolving threat against critical routing infrastructure.
(Image by Adrian Malec)
