CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

RoadK1ll WebSocket implant observed pivoting within breached networks via outbound-only tunneling

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A recently identified Node.js-based malware implant named RoadK1ll is being used by threat actors to establish covert tunnels via WebSocket for lateral movement within compromised networks. The implant operates as a lightweight reverse tunneling tool that converts a single infected host into a relay node, enabling attackers to bypass perimeter controls and access internal systems not directly exposed. It establishes an outbound WebSocket connection to attacker-controlled infrastructure to relay TCP traffic on demand, avoiding the need for inbound listeners that could trigger detection. The tool supports concurrent connections, command execution, and automatic reconnection, facilitating persistent, low-noise access without traditional persistence mechanisms. Researchers link observed use of RoadK1ll to recent incident response engagements, highlighting its role in extending attacker dwell time and enabling pivoting to sensitive network segments.

Timeline

  1. 30.03.2026 23:49 1 articles · 2h ago

    RoadK1ll WebSocket implant observed enabling lateral movement in recent incident response engagements

    A Node.js-based WebSocket tunneling implant named RoadK1ll was identified during managed detection and response (MDR) investigations, enabling attackers to pivot from compromised hosts to internal systems via outbound-only connections. The tool converts infected machines into relay nodes, supports concurrent TCP sessions, and persists through automatic tunnel restoration, with observed indicators including a specific file hash and communication IP.

    Show sources
    Open in new tab

Information Snippets

  • RoadK1ll is a Node.js-based implant that communicates over a custom WebSocket protocol to maintain attacker access and enable lateral movement.

    First reported: 30.03.2026 23:49
    1 source, 1 article
    Show sources

  • The implant functions as a lightweight reverse tunneling tool that converts a compromised host into a controllable relay point for pivoting to internal systems.

    First reported: 30.03.2026 23:49
    1 source, 1 article
    Show sources

  • RoadK1ll establishes an outbound-only WebSocket connection to attacker-controlled infrastructure, avoiding inbound listeners and reducing detection risk.

    First reported: 30.03.2026 23:49
    1 source, 1 article
    Show sources

  • The malware supports multiple concurrent TCP connections over the same WebSocket tunnel, allowing simultaneous communication with several internal destinations.

    First reported: 30.03.2026 23:49
    1 source, 1 article
    Show sources

  • Command set includes CONNECT, DATA, CONNECTED, CLOSE, and ERROR, with CONNECT enabling TCP connections to adjacent targets for lateral movement.

    First reported: 30.03.2026 23:49
    1 source, 1 article
    Show sources

  • RoadK1ll attempts automatic reconnection to restore the WebSocket tunnel if interrupted, maintaining persistence without manual intervention.

    First reported: 30.03.2026 23:49
    1 source, 1 article
    Show sources

  • The implant lacks traditional persistence mechanisms such as registry keys, scheduled tasks, or services, relying solely on process longevity for operation.

    First reported: 30.03.2026 23:49
    1 source, 1 article
    Show sources

  • Host-based indicators of compromise include a file hash for RoadK1ll and an IP address associated with attacker-controlled communication infrastructure.

    First reported: 30.03.2026 23:49
    1 source, 1 article
    Show sources