Cybercriminals have found a new way to sneak malware past traditional security filters by hijacking a legitimate AI workflow automation tool called n8n.
Rather than building their own infrastructure from scratch, these threat actors are turning a productivity platform into a weapon, using it to send phishing emails and deliver dangerous payloads directly to victims’ devices.
The activity was first observed as far back as October 2025 and continued well into March 2026. During this period, attackers created free developer accounts on the n8n platform, which automatically provisioned subdomains under the *.app.n8n[.]cloud namespace.
Since these subdomains belong to a widely recognized service, outgoing emails and web requests originating from them are treated as trustworthy by many corporate security gateways.
This allowed the attackers to route their malicious content through a channel that would not immediately raise red flags for most email security solutions.
Cisco Talos researchers Sean Gallagher and Omid Mirzaei identified the abuse of the n8n platform and published a detailed analysis of the campaigns.
Their investigation revealed that the primary point of exploitation was n8n’s URL-exposed webhooks, a standard feature that allows one application to send real-time data to another.
The researchers noted that the volume of emails containing n8n webhook URLs in March 2026 was approximately 68% higher than what was recorded in January 2025, pointing to a sharp and deliberate increase in the abuse of this platform.
The findings showed two main attack goals running side by side: delivering malware and fingerprinting targeted devices.
By embedding invisible tracking pixels hosted on n8n webhook URLs inside HTML emails, attackers were able to silently collect device information, such as browser type and IP address, from recipients who simply opened the email without clicking any link.
At the same time, separate phishing campaigns were pushing active malware payloads onto victim machines through the same webhook-based delivery approach.
The attackers effectively weaponized a tool originally designed to automate workflows and save developer time, flipping its purpose entirely.
Inside the Infection Chain
One of the most clearly documented campaigns involved phishing emails that posed as shared Microsoft OneDrive folder notifications. When recipients clicked the embedded n8n webhook link, their browser loaded an HTML page containing a CAPTCHA challenge.
.webp)
This step served as a basic human verification gate, helping the attackers filter out automated scanners and sandboxes.
Once the CAPTCHA was solved, a download button appeared, and a file named DownloadedOneDriveDocument.exe was silently fetched from an external host, but since the process ran entirely within the n8n domain’s JavaScript, the download appeared to come from the trusted n8n infrastructure itself.
.webp)
When executed, this file installed a modified version of the Datto Remote Monitoring and Management (RMM) tool, a legitimate remote administration application.
The malware then used PowerShell commands to configure Datto RMM as a scheduled task, establishing a persistent connection to a relay on the centrustage[.]net domain before deleting itself and the rest of the payload to cover its tracks.
A separate but related campaign used an n8n webhook to deliver a maliciously modified Microsoft Windows Installer (MSI) file instead.
That file installed the ITarian Endpoint Management RMM tool, which acted as a backdoor and ran Python modules to exfiltrate data from the compromised system, while displaying a fake installer progress bar to disguise the actual activity (Figure 8).
Both campaigns relied on the same core logic: funnel victims through a trusted domain, disguise the delivery as something ordinary, and install a remote access tool that persists quietly on the system.
The n8n platform’s flexibility and ease of integration made it an ideal vehicle for this approach, as no advanced infrastructure was needed to stand up the operation.
Cisco Talos outlined several steps that security teams should take to reduce exposure to this type of threat. Security researchers recommended moving beyond static domain blocking, since blocking n8n[.]cloud entirely could disrupt legitimate business workflows that rely on the same platform.
Instead, defenders should implement behavioral detection that triggers alerts when unusually high volumes of traffic are directed toward automation platform domains from unexpected internal sources.
Security teams should also flag any endpoint attempting to communicate with AI automation platform domains that fall outside the organization’s approved workflow inventory, as this could indicate an active compromise.
Sharing indicators of compromise (IOCs), including specific webhook URL structures, malicious file hashes, and known command-and-control domains, through platforms like Cisco Talos Intelligence is another practical measure.
Finally, organizations should deploy AI-driven email security solutions that analyze behavioral signals, not just reputation scores, to catch threats that travel through otherwise trusted infrastructure.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
