C0050 J-magic Campaign
The J-magic Campaign was active from mid-2023 to at least mid-2024 and featured the use of the J-magic backdoor, a custom cd00r variant tailored for use against Juniper routers. The J-magic Campaign targeted Junos OS routers serving as VPN gateways primarily in the semiconductor, energy, manufacturing, and IT sectors. 1
| Item | Value |
|---|---|
| ID | C0050 |
| Associated Names | |
| First Seen | June 2023 |
| Last Seen | June 2024 |
| Version | 1.0 |
| Created | 18 February 2025 |
| Last Modified | 19 February 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.003 | Virtual Private Server | During the J-magic Campaign, threat actors acquired VPS for use in C2.1 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.003 | Digital Certificates | During the J-magic Campaign, threat actors used self-signed certificates on VPS C2 infrastructure.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | During the J-magic Campaign, threat actors used the name “JunoscriptService” to masquerade malware as the Junos automation scripting service.1 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.001 | Malware | During the J-magic Campaign campaign, threat actors used open-source malware post-compromise including a custom variant of the cd00r backdoor.1 |
Software
| ID | Name | Description |
|---|---|---|
| S1203 | J-magic | 1 |