{
  "name": "The J-Magic Show: Magic Packets and Where to find them",
  "slug": "the-j-magic-show-magic-packets-and-where-to-find-them",
  "description": "Black Lotus Labs has been tracking a backdoor attack targeting enterprise-grade Juniper routers. Dubbed J-magic, this campaign uses a passive agent that monitors for 'magic packets' in TCP traffic. Once activated, it establishes a reverse shell for device control and data theft. The campaign, active from mid-2023 to mid-2024, targeted semiconductors, energy, manufacturing, and IT sectors. The malware, a variant of cd00r, presents detection challenges and exploits routers' long uptime. Approximately 50% of targeted devices were configured as VPN gateways, potentially allowing access to organizations' networks. The campaign's use of open-source malware and specific targeting of JunoOS-based systems makes it a noteworthy threat to enterprise networks.",
  "published": "2025-01-23T20:03:14+00:00",
  "created_at": "2025-01-23T20:03:14+00:00",
  "modified_at": "2025-01-24T07:23:26+00:00",
  "created_at_opencti": "2025-01-23T20:03:14+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-01-23",
    "cd00r",
    "j-magic",
    "juniper routers"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "c7cf51499973908cbc4c746f689b6ed245b26b1a9eae62fe9329f3a1036e82f4"
      },
      {
        "id": "",
        "name": "957c0c135b50d1c209840ec7ead60912a5ccefd2873bf5722cb85354cea4eb37"
      },
      {
        "id": "",
        "name": "5e3c128749f7ae4616a4620e0b53c0e5381724a790bba8314acb502ce7334df2"
      },
      {
        "id": "",
        "name": "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:5a8d319d435a94f7",
        "name": "cd00r",
        "slug": "cd00r"
      },
      {
        "id": "1b91cac8-11c9-4697-a66e-5d1ad3a55fe0",
        "name": "J-magic",
        "slug": "j-magic"
      },
      {
        "id": "legacy:malware:5180ffbca8af2969",
        "name": "SeaSpy",
        "slug": "seaspy"
      }
    ],
    "attack_patterns": [
      {
        "id": "14ea0786-b57c-4a30-8e4e-46944d17eb18",
        "name": "T1036.004"
      },
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "8598a502-2b24-4c8a-8ec3-45179f49e5b7",
        "name": "T1199"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "1d80852d-cfe8-44b4-a7f9-b8b5a3bdf52b",
        "name": "T1543.004"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "7abb6e8c-d357-49ef-9244-017043055224",
        "name": "T1205"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "53c193a7-f726-4bd2-ae88-4019e2604adf",
        "name": "T1046"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "ccb28547-a340-4193-a5d9-69222f3d5051",
        "name": "T1049"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Venezuela, Bolivarian Republic of"
      },
      {
        "id": "",
        "name": "Chile"
      },
      {
        "id": "",
        "name": "Colombia"
      },
      {
        "id": "",
        "name": "Armenia"
      },
      {
        "id": "",
        "name": "Netherlands"
      },
      {
        "id": "",
        "name": "Norway"
      },
      {
        "id": "",
        "name": "Argentina"
      },
      {
        "id": "",
        "name": "Peru"
      },
      {
        "id": "",
        "name": "Indonesia"
      },
      {
        "id": "",
        "name": "Brazil"
      },
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Russian Federation"
      },
      {
        "id": "",
        "name": "Semiconductor"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "Energy"
      },
      {
        "id": "",
        "name": "Telecommunications"
      },
      {
        "id": "",
        "name": "Manufacturing"
      }
    ]
  },
  "external_refs": [
    "https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/",
    "https://otx.alienvault.com/pulse/6792ae92c74604f7a4c94567"
  ]
}