J-magic Campaign

The J-magic Campaign was active from mid-2023 to at least mid-2024 and featured the use of the J-magic backdoor, a custom cd00r variant tailored for use against Juniper routers. The J-magic Campaign targeted Junos OS routers serving as VPN gateways primarily in the semiconductor, energy, manufacturing, and IT sectors. ^[1]

ID: C0050

First Seen: June 2023 ^[1]

Last Seen: June 2024 ^[1]

Version: 1.0

Created: 18 February 2025

Last Modified: 19 February 2025

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1583	.003	Acquire Infrastructure: Virtual Private Server	During the J-magic Campaign, threat actors acquired VPS for use in C2.^[1]
Enterprise	T1587	.003	Develop Capabilities: Digital Certificates	During the J-magic Campaign, threat actors used self-signed certificates on VPS C2 infrastructure.^[1]
Enterprise	T1036	.005	Masquerading: Match Legitimate Resource Name or Location	During the J-magic Campaign, threat actors used the name "JunoscriptService" to masquerade malware as the Junos automation scripting service.^[1]
Enterprise	T1588	.001	Obtain Capabilities: Malware	During the J-magic Campaign campaign, threat actors used open-source malware post-compromise including a custom variant of the cd00r backdoor.^[1]

Software

ID	Name	Description
S1203	J-magic	^[1]

References

Black Lotus Labs. (2025, January 23). The J-Magic Show: Magic Packets and Where to find them. Retrieved February 17, 2025.

J-magic Campaign

Enterprise Layer

Techniques Used

Software

References