S1203: J-magic
J-magic is a custom variant of the cd00r backdoor tailored to target Juniper routers that was first observed during the J-magic Campaign in mid-2023. J-magic monitors TCP traffic for five predefined parameters or "magic packets" to be sent by the attackers before activating on compromised devices.[1]
Analyst context for executives and security teams
J-magic matters because it is backdoor malware built for Juniper routers, including devices that may serve as VPN gateways. Its “magic packet” activation model means a compromised router may appear quiet until specific TCP traffic triggers functionality, which can make perimeter-device compromise harder to notice with ordinary endpoint-centric monitoring.
Executive priority
Treat this as a network-device resilience and visibility issue, not only a malware issue. Leaders should confirm whether Juniper/Junos OS routers, especially VPN gateway roles, are included in asset inventory, logging scope, incident response playbooks, and audit evidence. The relationship to the J-magic Campaign highlights relevance to sectors such as semiconductor, energy, manufacturing, and IT, but local exposure depends on the organization’s own router footprint and telemetry.
Technical view
SOC and IR teams should validate coverage for Network Devices and the related behaviors ATT&CK associates with J-magic: network configuration discovery, network sniffing, Unix shell execution, command history clearing, non-application-layer C2, traffic signaling, asymmetric cryptography, and masquerading via legitimate-looking names or locations. Because ATT&CK provides no official detection text for S1203, detection engineering should focus on router-side logs, configuration integrity, process/file review where available, and network traffic patterns consistent with unusual TCP signaling or non-standard C2 behavior.
Likely telemetry
- Network device inventory and role data for Juniper/Junos OS routers and VPN gateways
- Router authentication, administrative command, shell, and configuration-change logs where available
- Network flow, packet metadata, or sensor evidence for unusual TCP traffic and traffic-signaling patterns
- Evidence of interfaces or processes involved in traffic monitoring/sniffing on network devices
- File, process, and path/name integrity data from network devices where supported
Detection direction
- Confirm that network devices are monitored as first-class assets; endpoint-only EDR coverage will not address the stated Network Devices platform.
- Hunt for relationship-driven behaviors rather than relying on a named-malware signature: traffic signaling, non-application-layer communication, network sniffing, shell execution, and suspicious configuration discovery.
- Tune for false positives from legitimate router administration, troubleshooting, packet capture, and VPN operations by baselining approved admin sources, maintenance windows, and expected diagnostic commands.
- Review whether encrypted or asymmetric C2-like traffic from routers can be investigated with metadata, flow records, and destination context, since payload inspection may be limited.
- Use the J-magic Campaign relationship as prioritization context for Juniper/Junos OS VPN gateways, while avoiding assumptions of compromise without local evidence.
Mitigation priorities
- Prioritize complete inventory and ownership for Juniper/Junos OS routers, especially VPN gateway deployments.
- Ensure router administrative access is tightly controlled, logged, and reviewed, with incident response procedures that include network-device acquisition and configuration validation.
- Centralize and retain network-device logs and network flow metadata long enough to support investigations of low-noise, trigger-based backdoor behavior.
- Validate configuration and file integrity monitoring options for supported network devices, including review for legitimate-looking names or locations used to hide malicious resources.
- Prepare containment procedures for suspected router compromise, including traffic isolation, credential review, configuration recovery, and vendor-supported rebuild or remediation paths.
Analyst notes and limits
The supplied ATT&CK object identifies J-magic as a custom cd00r variant tailored to Juniper routers and linked to a campaign targeting Junos OS routers serving as VPN gateways. The most decision-useful point is that trigger-based activation and router placement can create blind spots in organizations that focus detection and IR readiness on servers and endpoints.
ATT&CK provides no official detection guidance for S1203, no aliases, and no malware-level tactics. This take is therefore derived from the official description, external reference metadata, and stated relationships to techniques and the J-magic Campaign. Local asset data, router logging capability, and network telemetry are required to assess actual exposure or coverage.
J-magic
J-magic is a custom variant of the cd00r backdoor tailored to target Juniper routers that was first observed during the J-magic Campaign in mid-2023. J-magic monitors TCP traffic for five predefined parameters or "magic packets" to be sent by the attackers before activating on compromised devices.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | J-magic can rename itself as “[nfsiod 0]” to masquerade as the local Network File System (NFS) asynchronous I/O server.CitationLumen J-Magic JAN 2025 |
| Enterprise | T1070.003 | Clear Command History Sub-technique | J-magic can overwrite previously executed command line arguments.CitationLumen J-Magic JAN 2025 |
| Enterprise | T1095 | Non-Application Layer Protocol | J-magic can monitor incoming C2 communications sent over TCP to the compromised host.CitationLumen J-Magic JAN 2025 |
| Enterprise | T1016 | System Network Configuration Discovery | J-magic can compare the host and remote IPs to check if a received packet is from the infected machine.CitationLumen J-Magic JAN 2025 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | J-magic can communicate back to send a challenge to C2 infrastructure over SSL.CitationLumen J-Magic JAN 2025 |
| Enterprise | T1205 | Traffic Signaling | J-magic can monitor TCP traffic for packets containing one of five different predefined parameters and will spawn a reverse shell if one of the parameters and the proper response string to a subsequent challenge is received.CitationLumen J-Magic JAN 2025 |
| Enterprise | T1040 | Network Sniffing | J-magic has a pcap listener function that can create an Extended Berkley Packet Filter (eBPF) on designated interfaces and ports.CitationLumen J-Magic JAN 2025 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | The J-magic agent is executed through a command line argument which specifies an interface and listening port.CitationLumen J-Magic JAN 2025 |
Groups, software, and campaigns
C0050: J-magic Campaign
The J-magic Campaign was active from mid-2023 to at least mid-2024 and featured the use of the J-magic backdoor, a custom cd00r variant tailored for use against Juniper routers. The J-magic Campaign targeted Junos OS routers serving as VPN gateways primarily in the semiconductor, energy, manufacturing, and IT sectors. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6bf6dac897fa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lumen J-Magic JAN 2025
Black Lotus Labs. (2025, January 23). The J-Magic Show: Magic Packets and Where to find them. Retrieved February 17, 2025.
Open source URL -
[2]
mitre-attack S1203Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.