Security experts have identified a new strain of malware named J-Magic targeting various industries including semiconductor, energy, manufacturing, and IT. The Black Lotus Team at Lumen Technologies discovered that threat actors have repurposed cd00r, a stealthy backdoor Trojan, into J-Magic, designed to infiltrate Juniper routers serving as VPN gateways. The malware remains dormant until activated by a specific “magic” TCP package, subsequently allowing attackers to establish control and potentially steal data. The campaign began in September 2023 and continued until mid-2024, showing similarities to prior malware SeaSpy2 which also operates similarly scanning for magic packets. Although the link between the two campaigns is not definitive, both pose serious cybersecurity threats. The origins of the threat actors remain unknown, but there are technical indicators linking the activities to previous cyber incidents. To bolster cybersecurity defenses, it is crucial for organizations to stay vigilant and update their security protocols continuously.