The n8n n8mare: How threat actors are misusing AI workflow automation
Threat actors have been abusing the n8n AI workflow automation platform's webhook functionality in phishing campaigns from October 2025 to March 2026. These campaigns use n8n webhooks to deliver malware and fingerprint devices, bypassing security filters by leveraging trusted infrastructure. Email volume containing n8n webhook URLs surged by 686% between January 2025 and March 2026. Attackers employ CAPTCHA-protected pages to distribute remote access tools, including modified versions of Datto RMM and ITarian Endpoint Management software. Malicious payloads are masked behind legitimate n8n domains, complicating detection. Additional abuse involves embedding tracking pixels in emails for device fingerprinting. These attacks highlight the risk of weaponizing legitimate automation platforms and the need for behavioral detection rather than simple domain blocking.
AI Analysis
Technical Summary
This threat involves the misuse of the n8n AI workflow automation platform by adversaries who exploit its webhook feature to conduct sophisticated phishing campaigns. From late 2025 through early 2026, attackers have used n8n webhooks to deliver malware payloads and perform device fingerprinting, effectively bypassing traditional security filters by hiding malicious activity behind trusted n8n infrastructure. The campaigns have notably increased in volume, with a 686% rise in emails containing n8n webhook URLs. Techniques include the use of CAPTCHA-protected landing pages to deliver remote access tools such as modified Datto RMM and ITarian Endpoint Management software. The abuse also extends to embedding tracking pixels within emails to gather device information. The threat demonstrates how legitimate productivity tools can be weaponized, necessitating advanced detection strategies focused on behavior rather than relying solely on domain or URL blocking.
Potential Impact
The impact includes increased phishing attacks leveraging trusted n8n webhook URLs to deliver malware and remote access tools, potentially leading to unauthorized access and device compromise. The use of legitimate infrastructure to mask malicious payloads complicates detection and mitigation efforts. Device fingerprinting via tracking pixels may facilitate targeted follow-up attacks. The surge in attack volume indicates a growing threat that could affect organizations relying on email and automation workflows.
Mitigation Recommendations
No official patch or fix is indicated for this threat as it exploits legitimate platform features rather than a software vulnerability. Organizations should implement behavioral detection mechanisms to identify suspicious use of n8n webhooks and monitor for unusual automation activity. Simple domain or URL blocking is insufficient due to the use of legitimate n8n domains. Security teams should be aware of phishing campaigns leveraging CAPTCHA-protected pages and modified remote access tools. Employing advanced email filtering and user awareness training focused on recognizing such phishing tactics is recommended. Regularly review and restrict webhook usage within automation platforms to limit abuse potential.
Indicators of Compromise
- hash: 1a37b674ed29c877890834e9aba616d9
- hash: 629ce6eb0387a8f72d72d43fa6d74521
- hash: 4fc85d62d4ecbb29de2dd2a0547bd0f0e38696df
- hash: ea5d2096a2ef3dfe4fb870bd1f0270efaea993a6
- hash: 7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0
- hash: 93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a
- url: http://majormetalcsorp.com/Openfolder
- url: http://monicasue.app.n8n.cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab
- url: http://onedrivedownload.zoholandingpage.com/my-workspace/DownloadedOneDrive
- url: http://pagepoinnc.app.n8n.cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496
- domain: majormetalcsorp.com
- domain: monicasue.app.n8n.cloud
- domain: onedrivedownload.zoholandingpage.com
- domain: pagepoinnc.app.n8n.cloud
- domain: tti.app.n8n.cloud
The n8n n8mare: How threat actors are misusing AI workflow automation
Description
Threat actors have been abusing the n8n AI workflow automation platform's webhook functionality in phishing campaigns from October 2025 to March 2026. These campaigns use n8n webhooks to deliver malware and fingerprint devices, bypassing security filters by leveraging trusted infrastructure. Email volume containing n8n webhook URLs surged by 686% between January 2025 and March 2026. Attackers employ CAPTCHA-protected pages to distribute remote access tools, including modified versions of Datto RMM and ITarian Endpoint Management software. Malicious payloads are masked behind legitimate n8n domains, complicating detection. Additional abuse involves embedding tracking pixels in emails for device fingerprinting. These attacks highlight the risk of weaponizing legitimate automation platforms and the need for behavioral detection rather than simple domain blocking.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves the misuse of the n8n AI workflow automation platform by adversaries who exploit its webhook feature to conduct sophisticated phishing campaigns. From late 2025 through early 2026, attackers have used n8n webhooks to deliver malware payloads and perform device fingerprinting, effectively bypassing traditional security filters by hiding malicious activity behind trusted n8n infrastructure. The campaigns have notably increased in volume, with a 686% rise in emails containing n8n webhook URLs. Techniques include the use of CAPTCHA-protected landing pages to deliver remote access tools such as modified Datto RMM and ITarian Endpoint Management software. The abuse also extends to embedding tracking pixels within emails to gather device information. The threat demonstrates how legitimate productivity tools can be weaponized, necessitating advanced detection strategies focused on behavior rather than relying solely on domain or URL blocking.
Potential Impact
The impact includes increased phishing attacks leveraging trusted n8n webhook URLs to deliver malware and remote access tools, potentially leading to unauthorized access and device compromise. The use of legitimate infrastructure to mask malicious payloads complicates detection and mitigation efforts. Device fingerprinting via tracking pixels may facilitate targeted follow-up attacks. The surge in attack volume indicates a growing threat that could affect organizations relying on email and automation workflows.
Mitigation Recommendations
No official patch or fix is indicated for this threat as it exploits legitimate platform features rather than a software vulnerability. Organizations should implement behavioral detection mechanisms to identify suspicious use of n8n webhooks and monitor for unusual automation activity. Simple domain or URL blocking is insufficient due to the use of legitimate n8n domains. Security teams should be aware of phishing campaigns leveraging CAPTCHA-protected pages and modified remote access tools. Employing advanced email filtering and user awareness training focused on recognizing such phishing tactics is recommended. Regularly review and restrict webhook usage within automation platforms to limit abuse potential.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.talosintelligence.com/the-n8n-n8mare/"]
- Adversary
- UAT-10362
- Pulse Id
- 69dfa9e58a74337f7fb97333
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash1a37b674ed29c877890834e9aba616d9 | — | |
hash629ce6eb0387a8f72d72d43fa6d74521 | — | |
hash4fc85d62d4ecbb29de2dd2a0547bd0f0e38696df | — | |
hashea5d2096a2ef3dfe4fb870bd1f0270efaea993a6 | — | |
hash7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0 | — | |
hash93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://majormetalcsorp.com/Openfolder | — | |
urlhttp://monicasue.app.n8n.cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab | — | |
urlhttp://onedrivedownload.zoholandingpage.com/my-workspace/DownloadedOneDrive | — | |
urlhttp://pagepoinnc.app.n8n.cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainmajormetalcsorp.com | — | |
domainmonicasue.app.n8n.cloud | — | |
domainonedrivedownload.zoholandingpage.com | — | |
domainpagepoinnc.app.n8n.cloud | — | |
domaintti.app.n8n.cloud | — |
Threat ID: 69dfcba782d89c981f8345f2
Added to database: 4/15/2026, 5:32:23 PM
Last enriched: 4/15/2026, 5:47:05 PM
Last updated: 4/16/2026, 6:20:02 AM
Views: 26
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.