New backdoor discovered that specifically targets Juniper routers

Researchers at Black Lotus Labs have uncovered an operation where a back door is dropped onto enterprise-grade Juniper Networks routers and listens for specific network signals, known as “magic packets,” to execute malicious commands. 

The campaign, which researchers at the cybersecurity wing of Lumen Technologies refer to as “J-Magic,” was active between mid-2023 and mid-2024. The malware uses a custom variant of the open-source backdoor ‘cd00r,’ which operates invisibly to lay the groundwork for a reverse shell attack. The malware scans for five different predefined parameters before activating. If any of these parameters or “magic packets” are received, the malware sends a confirmation request. Once confirmed, J-Magic establishes a reverse shell on the local file system, allowing operators to control the device, steal data, or deploy further malware.

Although the specific method of transmission into these routers remains unclear, many targeted devices are configured as virtual private network (VPN) gateways. Lumen’s analysis found that approximately half of the routers affected during the campaign functioned as VPN gateways.  

The strategic focus of J-Magic on routers underscores a level of stealth, given that routers are rarely monitored with security software. The malware specifically targets JunoOS, Juniper’s FreeBSD-based operating system. 

Elements of this activity share some technical similarities with a previously reported malware family known as SeaSpy, a variant of cd00r that targeted another FreeBSD-based system in  Barracuda Network’s Email Security Gateway, However, Black Lotus Labs considers the J-Magic campaign as its own independent attack campaign, as there is insufficient evidence to link the two. 

The targeting has been sporadic, with the malware found in organizations in the semiconductor, energy, manufacturing, and IT verticals, among others. Geographically, the campaign shows a focus in Europe and South America, with researchers saying whomever is responsible for the campaign may be laying the work for reconnaissance. 

The J-Magic campaign underscores ongoing challenges in network security, especially concerning devices outside the consumer space like routers. This shift in focus from traditional endpoints to network infrastructure devices illustrates the evolving threat landscape, where attackers seek softer targets that might lack comprehensive protective measures.

“Typically, these devices are rarely powercycled; malware tailored for routers is designed to take advantage of long uptime and live exclusively in-memory, allowing for low-detection and long-term access compared to malware that burrows into the firmware,” researchers wrote. “Routers on the edge of the corporate network or serving as the VPN gateway, as many did in this campaign, are the richest targets. This placement represents a crossroads, opening avenues to the rest of a corporate network.”