RoadK1ll WebSocket reverse-tunneling implant
Malware Activity
Summary
Hide ▲
Show ▼
The newly identified RoadK1ll implant gives attackers a reverse-tunneling path from a compromised host into internal systems, increasing the risk of lateral movement and covert access. It uses a custom WebSocket protocol to keep attacker connectivity alive and relay traffic on demand. The malware can open connections to internal services and management interfaces that are not externally exposed. It also reconnects when the tunnel is interrupted, helping operators maintain access with less noise.
Timeline
-
30.03.2026 23:49 2 articles · 1mo ago
Blackpoint identifies RoadK1ll reverse-tunneling implant
Initial DisclosureBlackpoint identified RoadK1ll, a Node.js reverse-tunneling implant, during an incident response engagement on 2026-03-30. The malware establishes an outbound WebSocket connection to attacker-controlled infrastructure, relays TCP traffic on demand, supports commands including CONNECT, DATA, CONNECTED, CLOSE, and ERROR, can maintain multiple concurrent connections over one tunnel, and attempts to reconnect if the channel is interrupted. Blackpoint also noted that RoadK1ll lacks registry key, scheduled task, or service persistence and provided a hash and an IP address as host-based indicators of compromise.
Show sources
- New RoadK1ll WebSocket implant used to pivot on breached networks — www.bleepingcomputer.com — 30.03.2026 23:49
- New RoadK1ll WebSocket implant used to pivot on breached networks — www.bleepingcomputer.com — 30.03.2026 23:49