A newly identified malicious implant called RoadK1ll enables malicious actors to move silently from a vulnerable host to other systems on the network.
The malware is a Node.js implementation that communicates via a custom WebSocket protocol to maintain persistent attacker access and enable additional functions.
RoadK1ll was discovered by managed detection and response (MDR) provider Blackpoint during an incident response engagement.
The researchers describe it as the installation of lightweight reverse tunneling that combines with normal network activity and turns the infected machine into a destination for the attacker.
“Its sole function is to turn a single vulnerable machine into a controllable relay, an access extender, where the operator can turn to internal systems, services, and network components that would otherwise be inaccessible without the perimeter,” Blackpoint said.
RoadK1ll does not rely on an incoming listener on a vulnerable host. It establishes an outgoing WebSocket connection to an attacker-controlled infrastructure, which is then used as a tunnel to forward TCP traffic where needed.
This method allows an attacker to remain anonymous for longer periods of time and forward traffic to internal systems through a single WebSocket tunnel.
“An attacker can instruct RoadK1ll to open connections to internal services, administrative links, or other hosts that are not directly exposed externally,” Blackpoint said.
“Because these links originate from a compromised machine, they inherit the network’s trust and position, effectively bypassing perimeter controls.”
In addition, RoadK1ll supports multiple connections at the same time in the same tunnel, which allows its operator to connect to several locations at the same time.
According to the researchers, the malware supports a small set of commands, including:
- CONNECT – Instructs the installation to open a TCP connection to a specific host and port
- DATA – Forwards raw traffic over active connection
- CONNECTED – Confirms that the requested connection was established successfully
- CLOSE – Terminates an active connection
- ERROR – Returns failure information to the operator
The CONNECT command triggers RoadK1ll’s main function: to initiate an outgoing TCP connection to a nearby target, extending the attacker’s access to the compromised network.
Source: Blackpoint
If the channel is interrupted, the tool tries to restore the WebSocket tunnel using the reconnection method, which allows attackers to maintain persistent access without causing noise through manual intervention.
Source: Blackpoint
However, Blackpoint notes that RoadK1ll does not have a standard persistence mechanism that uses registry keys, scheduled tasks, or services. Instead, it only runs as long as its process is alive.
Apart from this, the researchers say that the malware “shows a sophisticated and purpose-built implementation” of private communication that makes it flexible, efficient, and easy to use.
It also allows a threat actor to migrate to internal systems and parts of the environment that cannot be accessed outside the network.
Blackpoint provides a small set of host-based compromise indicators that include the RoadK1ll hash and the IP address used by the threat actor to communicate with the implant.
Automatic logging proves that the path exists. BAS proves that your controls are stopping you. Many teams run without each other.
This white paper outlines six areas of validation, indicates where coverage ends, and provides clinicians with three diagnostic questions for any screening tool.
