Back

RoadK1ll Malware Turns Compromised Hosts into Network Relay Points

Severity: High (Score: 67.5)

Sources: Cybersecuritynews, Scworld, Bleepingcomputer

Summary

A new malware named RoadK1ll has been identified, allowing attackers to pivot within compromised networks. Discovered by Blackpoint during an incident response, RoadK1ll is a Node.js implant that communicates via a custom WebSocket protocol. Its primary function is to convert a single compromised machine into a relay point for attackers, enabling access to otherwise unreachable internal systems. The malware establishes an outbound WebSocket connection to attacker-controlled infrastructure, bypassing perimeter controls. It supports multiple concurrent connections and lacks traditional persistence mechanisms, operating only while its process is active. Blackpoint has shared indicators of compromise, including a hash for RoadK1ll and an IP address used for communication. The malware's stealthy operation makes it a significant concern for network security. Key Points: • RoadK1ll malware enables attackers to pivot within networks undetected. • It uses a custom WebSocket protocol for covert communication. • The implant lacks traditional persistence, relying on active processes.

Key Entities

  • Malware (attack_type)
  • RoadK1ll (malware)
  • T1021 - Remote Services (mitre_attack)
  • T1071.001 - Web Protocols (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • Node.js (tool)
  • WebSocket (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed