RoadK1ll Malware Turns Hacked Devices Into Network Relays

Hackers are deploying a new Node.js-based implant dubbed RoadK1ll to quietly turn compromised hosts into on-demand network relays, enabling stealthy pivoting deeper into victim environments without exposing obvious remote access tooling.

The implant’s sole purpose is to provide attackers with reliable, flexible access back into an internal network after initial compromise, effectively turning a single infected host into an “access amplifier” for follow-on activity.

Unlike traditional remote access malware, RoadK1ll does not expose a rich command set or heavyweight operator console on the endpoint.

Blackpoint’s Response Operations Center (BROC) identified RoadK1ll during an incident response engagement and is tracking it as a dedicated pivoting tool rather than a full-featured RAT.

Instead, it focuses on maintaining a stable tunnel and brokering traffic, letting the attacker reach internal systems, local-only services, and segmented network segments that would normally be unreachable from outside the perimeter.

RoadK1ll Malware

RoadK1ll is implemented in Node.js and leans on two key modules: net for raw TCP sockets and ws for WebSocket communication, placing it between an outbound WebSocket C2 session and local TCP connections opened on demand.

Configuration values define the attacker-controlled VPS host, WebSocket port, a shared tunnel secret used as a basic authentication token, and a reconnect interval that shows the malware is designed to re-establish its tunnel if connectivity drops.

Communication runs over a custom framing protocol that multiplexes multiple logical channels over a single WebSocket connection.

Defining connection settings (Source : Blackpoint).
Defining connection settings (Source : Blackpoint).

Each message starts with a 4-byte channel ID and 1-byte message type, followed by the payload, allowing the operator to manage many independent TCP streams through one outbound tunnel.

Core message types include DATA, CONNECT, CONNECTED, CLOSE, and ERROR, giving the attacker a compact but sufficient control vocabulary to open sockets, push traffic, cleanly close channels, and handle failures.

To keep track of concurrent activity, RoadK1ll maintains a runtime map that associates each channel ID with its corresponding TCP socket.

An encodeMessage function builds outbound frames with a fixed 5-byte header and optional payload, while decodeMessage validates and parses inbound frames to recover the channel, type, and data before processing.

Outbound Message Handling Layer of RoadK1ll (Source : Blackpoint).
Outbound Message Handling Layer of RoadK1ll (Source : Blackpoint).

This pairing forms the core wire protocol, supporting both binary network traffic and simple status messages over the same tunnel.

The implant then establishes its primary WebSocket control path via a connect routine that builds the URL using the configured VPS host, port, and tunnel secret before issuing new WebSocket(…) to reach attacker infrastructure.

Inbound Message Handling Layer of RoadK1ll (Source : Blackpoint).
Inbound Message Handling Layer of RoadK1ll (Source : Blackpoint).

During analysis, researchers observed the use of ws.binaryType = ‘nodebuffer’, signaling that RoadK1ll is designed to transport arbitrary binary data rather than just text commands.

A commented rejectUnauthorized: false option hints that the developer anticipated TLS validation issues and optimized for reliability across varied environments.

Pivoting, Lateral Movement, and Relay Loop

Once the tunnel is live, RoadK1ll listens for inbound messages from the relay and routes each one through a switch-style control flow that maps CONNECT, DATA, and CLOSE messages to dedicated handlers.

A CONNECT command triggers handleConnect, which parses a structured payload containing a target host and port, then calls net.createConnection({ host, port }) to open a new outbound TCP session from the compromised host into the internal network.

Parsing inbound data payloads (Source : Blackpoint).
Parsing inbound data payloads (Source : Blackpoint).

On success, a CONNECTED message confirms the channel is ready, and the attacker can immediately begin interacting with the internal service through that socket.

The handleData function looks up the active socket for a given channel ID and writes attacker-supplied payloads directly into that connection, while a companion sendToVps routine packages responses, errors, and status updates and forwards them back over the WebSocket tunnel.

The Pivoting Mechanism with RoadK1ll (Source : Blackpoint).
The Pivoting Mechanism with RoadK1ll (Source : Blackpoint).

This bidirectional loop lets the attacker talk through the victim to internal databases, management interfaces, or other servers, with each channel tracked independently so several destinations can be reached at once over the same tunnel.

To keep access available, RoadK1ll implements a scheduleReconnect function that kicks in when the WebSocket session drops, setting a timer and calling connect() again after the configured interval if a reconnect is not already in progress.

This reconnection loop makes the implant resilient to transient network issues without requiring operator intervention, as long as the process continues running.

Notably, analysts did not observe classic persistence mechanisms such as registry run keys or scheduled tasks in this component; instead, RoadK1ll’s persistence is conditional and focused on preserving connectivity rather than re-establishing execution.

Blackpoint’s analysis highlights RoadK1ll as an example of modern, purpose-built tunneling tradecraft that cleanly separates initial access from post-compromise pivoting.

By packaging tunneling as a modular capability, the malware turns one compromised machine into a reusable, low-noise pivot point, aligning closely with intrusion workflows that prioritize stealth, flexibility, and minimal host footprint.

Indicators of Compromise

File name / Path SHA256 Context / Notes
Index.js b5a3ace8dc6cc03a5d83b2d85904d6e1ee00d4167eb3d04d4fb4f793c9903b7e RoadK1ll

Related Articles

Back to top button