C0050: J-magic Campaign
The J-magic Campaign was active from mid-2023 to at least mid-2024 and featured the use of the J-magic backdoor, a custom cd00r variant tailored for use against Juniper routers. The J-magic Campaign targeted Junos OS routers serving as VPN gateways primarily in the semiconductor, energy, manufacturing, and IT sectors. [1]
Analyst context for executives and security teams
The J-magic Campaign matters because it focused on Junos OS routers serving as VPN gateways, using the J-magic backdoor tailored for Juniper routers. For leaders, this is a reminder that perimeter network devices can become high-value persistence and access points, especially where they support remote access for critical business operations in sectors such as semiconductor, energy, manufacturing, and IT.
Executive priority
Prioritize assurance around externally exposed VPN gateway routers and network device monitoring. The business question is not only whether endpoint controls are mature, but whether router configuration integrity, certificate review, network telemetry, incident response access, and evidence retention are sufficient to investigate stealthy backdoor behavior on infrastructure that may sit outside normal EDR coverage.
Technical view
ATT&CK provides no campaign-specific detection text or tactics for C0050, but the relationship context points defenders toward Juniper/Junos VPN gateway routers, the J-magic software on Network Devices, and behavior involving magic-packet activation. SOC and IR teams should validate whether they can collect and review router configuration state, firmware/software integrity indicators, logs from VPN gateways, TCP traffic metadata to and from those devices, and external infrastructure context such as VPS-hosted sources or unusual TLS certificate use. The related techniques also suggest reviewing for resources named or placed to resemble legitimate items, acquired malware use, self-signed or suspicious certificates, and adversary-controlled VPS infrastructure, while avoiding assumptions that these indicators alone confirm this campaign.
Likely telemetry
- Junos OS router and VPN gateway system logs
- Router configuration backups and change history
- Network flow or packet metadata for TCP traffic involving VPN gateway routers
- Remote access and VPN authentication/session logs associated with the gateways
- TLS certificate observations for services communicating with or exposed by the devices
Detection direction
- Confirm whether network devices are included in SOC monitoring, not just servers and endpoints.
- Baseline normal TCP traffic patterns to VPN gateway routers and investigate unusual trigger-like or low-volume communications where local telemetry supports it.
- Review router-resident files, names, and locations for resources that approximate legitimate naming, consistent with the related masquerading technique, while accounting for vendor and administrator naming conventions.
- Tune detections around suspicious TLS certificates and VPS-originating access attempts as supporting context, not standalone proof of J-magic activity.
- Validate retention and accessibility of router logs and network flow data before an incident; lack of historical telemetry is a likely blind spot because ATT&CK provides no ready-made detection logic for this campaign.
Mitigation priorities
- Inventory Juniper/Junos routers that serve as VPN gateways and confirm ownership, exposure, and business criticality.
- Harden administrative access and change-control processes for network devices, including review of configuration drift and unauthorized changes.
- Ensure network device logging, flow collection, and time synchronization are enabled and retained for incident response.
- Include router compromise scenarios in incident response playbooks, with procedures for evidence preservation and safe device validation.
- Review certificate management and external-facing service exposure for VPN gateway infrastructure.
Analyst notes and limits
C0050 is a campaign entry describing activity from mid-2023 to at least mid-2024 involving the J-magic backdoor against Juniper routers running Junos OS as VPN gateways. Relationship context links the campaign to J-magic software and resource-development or stealth techniques, but ATT&CK does not provide campaign tactics, platforms, or detection guidance on the campaign object itself.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not establish attribution, current activity, customer exposure, or guaranteed detection coverage. Local asset inventory, router telemetry, network traffic history, and device forensics are required to determine relevance in a specific environment.
J-magic Campaign
The J-magic Campaign was active from mid-2023 to at least mid-2024 and featured the use of the J-magic backdoor, a custom cd00r variant tailored for use against Juniper routers. The J-magic Campaign targeted Junos OS routers serving as VPN gateways primarily in the semiconductor, energy, manufacturing, and IT sectors. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | During the J-magic Campaign, threat actors acquired VPS for use in C2.CitationLumen J-Magic JAN 2025 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | During the J-magic Campaign, threat actors used the name “JunoscriptService” to masquerade malware as the Junos automation scripting service.CitationLumen J-Magic JAN 2025 |
| Enterprise | T1588.001 | Malware Sub-technique | During the J-magic Campaign campaign, threat actors used open-source malware post-compromise including a custom variant of the cd00r backdoor.CitationLumen J-Magic JAN 2025 |
| Enterprise | T1587.003 | Digital Certificates Sub-technique | During the J-magic Campaign, threat actors used self-signed certificates on VPS C2 infrastructure.CitationLumen J-Magic JAN 2025 |
Groups, software, and campaigns
S1203: J-magic
J-magic is a custom variant of the cd00r backdoor tailored to target Juniper routers that was first observed during the J-magic Campaign in mid-2023. J-magic monitors TCP traffic for five predefined parameters or "magic packets" to be sent by the attackers before activating on compromised devices.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 46dc993752e7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lumen J-Magic JAN 2025
Black Lotus Labs. (2025, January 23). The J-Magic Show: Magic Packets and Where to find them. Retrieved February 17, 2025.
Open source URL -
[2]
mitre-attack C0050Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.