Juniper Routers ‘ Custom Backdoor Exploiting Magic Packet Risk

Jan 23, 2025Ravie LakshmananMalware / Enterprise Security

As part of a battle dubbed J-magic, enterprise-grade Juniper Networks modems have been the target of a custom secret.

The risk actor’s team at Lumen Technologies claims the action is named for the fact that the secret constantly monitors for a “magic bag” sent by the threat actor in TCP traffic.

In a statement shared with The Hacker News, the firm claimed that the “J-magic campaign” is the happiest case of malicious created specifically for Junos OS, which relies on a different working program, a variant of FreeBSD.

Information gathered by the firm demonstrates that the earliest instance of the secret dates back to September of that year, with exercise lasting between mid-2023 and mid-2024. Semiconductor, energy, manufacturing, and information technology ( IT ) sectors were the most targeted.

Diseases have been reported across Europe, Asia, and South America, including Argentina, Armenia, Brazil, Chile, Colombia, Indonesia, the Netherlands, Norway, Peru, the U. K., the U. S., and Venezuela.

The plan is renowned for deploying an agent after gaining first access through an unspecified procedure. The broker, a variation of a practically 25-year-old, publicly accessible secret referred to as , waits for five distinct pre-defined guidelines before commencing its functions.

The agent is set up to take up a secondary issue upon receipt of these special packets, following which J-magic creates a reverse shell to the IP address and port specified in the special packet. This enables the attackers to control the device, steal data, or deploy additional payloads.

Lumen theorized that the inclusion of the challenge is an attempt by the adversary to stop other threat actors from issuing magic packets indefinitely and repurpose the J-magic agents to accomplish their own goals.

In connection with a campaign aimed at Barracuda Email Security Gateway ( ESG) appliances in late 2022, it is worth noting that another variant of cd00r, codename , was deployed.

Despite this, there is no conclusive evidence right now linking the two campaigns, and neither does the J-magic campaign, which targets enterprise-grade routers like and ( also known as Canary Typhoon ), show any signs of overlap.

A second smaller cluster, which is said to be made up of Juniper routers acting as VPN gateways, is said to be made up of those with exposed s. The ability to automate router configuration management and information is thought to have led to the use of network configuration devices.

The campaign’s precise end objectives are still undetermined, but the Black Lotus Labs team told The Hacker News that they saw” some interesting targeting” that was in line with the strategic objectives of a particular nation known for intellectual property theft, and specifically targeted at the shipbuilding and microprocessor manufacturing sectors.

The most recent findings highlight the continued , largely driven by the long uptime and a lack of endpoint detection and response ( EDR) protections in such devices. National-state actors are preparing for follow-on attacks against routers.

The focus on Juniper routers is “one of the most notable aspects of the campaign,” Lumen said. While we’ve seen a lot of other networking equipment targeted, this campaign shows that attackers can successfully target other types of devices like enterprise-grade routers.

Found this article interesting? Follow us on and Twitter to access more exclusive content.

Leave a Comment