New RoadK1ll implant turns compromised hosts into silent network relays via WebSocket tunneling

Blackpoint discovered a new Node.js-based implant called RoadK1ll during an incident response engagement. It's not a traditional RAT - it carries no large command set. Instead, it does one thing well: turn a compromised machine into a controllable relay point that lets attackers pivot to internal systems that would normally be unreachable from outside. It communicates over WebSocket, blends into normal web traffic, supports multiple concurrent connections, and auto-reconnects if disrupted.

Check

Monitor endpoints for unexpected Node.js processes maintaining persistent outbound WebSocket connections to unfamiliar addresses.

Affected

Any Windows or Linux system where an attacker has achieved initial access. RoadK1ll is a post-compromise tool deployed after initial entry.

Fix

Validate network segmentation controls to ensure compromised hosts cannot freely reach sensitive internal services. Block outbound WebSocket traffic to unknown IPs on non-standard ports. Check for the IOCs published by Blackpoint.