Security researchers have uncovered a new malicious implant called RoadK1ll that allows threat actors to pivot from compromised machines to internal network systems using WebSocket-based communication. Discovered by Blackpoint during incident response, this lightweight Node.js tool functions as a reverse tunneling implant that converts infected hosts into controllable relay points. The malware establishes outbound WebSocket connections to attacker infrastructure, bypassing perimeter controls by inheriting the compromised machine's network trust.
RoadK1ll supports a limited command set including CONNECT for initiating TCP connections to internal targets, DATA for forwarding traffic, and CLOSE for terminating active sessions. Multiple concurrent connections can operate through a single tunnel, enabling simultaneous access to various internal destinations. If communication is interrupted, the implant automatically attempts to restore the WebSocket connection without requiring manual intervention.
Unlike traditional malware, RoadK1ll lacks conventional persistence mechanisms such as registry keys or scheduled tasks, operating only while its process remains active. The implant's design allows attackers to reach internal systems and network segments that would otherwise be inaccessible from outside the perimeter. Blackpoint characterizes the tool as a modern, purpose-built implementation of covert communication that prioritizes flexibility and stealth over persistence. The researchers have released host-based indicators including file hashes and associated IP addresses to aid detection efforts.
Read more...