RoadK1ll is a newly identified Node.js implant that establishes an outbound WebSocket-based reverse tunnel to convert a compromised host into a relay for lateral movement. Discovered by MDR provider Blackpoint, it forwards TCP traffic on demand using simple commands, supports multiple concurrent connections and reconnection, and lacks traditional persistence. #RoadK1ll #Blackpoint
Keypoints
- RoadK1ll is a lightweight Node.js reverse-tunneling implant that uses a custom WebSocket protocol.
- It creates an outbound connection to attacker-controlled infrastructure, avoiding inbound listeners on the host.
- The implant forwards TCP traffic on demand, enabling pivoting to internal services that inherit the compromised hostβs trust.
- RoadK1ll supports multiple concurrent connections over a single tunnel and includes an automatic reconnection mechanism.
- Blackpoint discovered the implant during an incident response engagement and published limited host-based IOCs including a hash and an operator IP.