Cybercriminals have found a new avenue to deliver malware by exploiting the legitimate AI workflow automation tool, n8n. Instead of developing their own infrastructure, threat actors are repurposing n8n to send phishing emails and distribute malicious payloads directly to unsuspecting victims. This concerning trend, observed from October 2025 through March 2026, leverages n8n’s trusted subdomains, allowing malicious content to bypass standard security filters.
Security researchers Sean Gallagher and Omid Mirzaei of Cisco Talos identified these campaigns, which utilize n8n’s URL-exposed webhooks. During March 2026, the volume of emails containing n8n webhook URLs saw a significant increase, approximately 68% higher than in January 2025. The attackers pursued two primary objectives: delivering malware and fingerprinting targeted devices by embedding invisible tracking pixels within emails.
Hackers Abuse n8n AI Workflow Automation for Malware Delivery
The attackers created free developer accounts on the n8n platform, which automatically provisioned subdomains under the *.app.n8n[.]cloud namespace. This strategic choice, according to Cisco Talos, allowed their malicious communications to appear as if originating from a reputable service, significantly increasing the likelihood of them passing through corporate security gateways without detection. This tactic highlights a shift in cybercriminal methods, moving towards the exploitation of trusted services rather than solely relying on novel attack vectors.
The core of these attacks revolves around n8n’s webhooks, which are designed to enable real-time data transfer between applications. By manipulating these webhooks, threat actors could channel malicious content through what appeared to be a legitimate integration. This approach effectively masked the true origin of the attack, making it harder for security systems to identify and block.
Inside the Infection Chain: A Multi-Stage Attack
One prominent campaign impersonated Microsoft OneDrive file-sharing notifications. Upon clicking a link within the phishing email, recipients were directed to an HTML page hosted on an n8n webhook. This page featured a CAPTCHA challenge, designed to filter out automated security tools and sandboxes, ensuring that only human interaction would proceed. This allowed the attackers to remain undetected by many automated security analysis platforms.
After successfully completing the CAPTCHA, users were presented with a download button. A file, cryptically named DownloadedOneDriveDocument.exe, was then silently downloaded. Crucially, because the download process was initiated and executed within the n8n domain’s JavaScript environment, the download appeared to originate from the trusted n8n infrastructure, further deceiving the user and security systems.
When executed, this malicious executable installed a modified version of the Datto Remote Monitoring and Management (RMM) tool. This legitimate remote administration application was then leveraged to establish persistent access. The malware employed PowerShell commands to configure Datto RMM as a scheduled task, creating a covert connection to a relay on the centrustage[.]net domain, before the payload self-deleted to remove evidence of its presence.
In parallel, another campaign employed a similar strategy but delivered a tampered Microsoft Windows Installer (MSI) file via an n8n webhook. This MSI file installed the ITarian Endpoint Management RMM tool, which functioned as a backdoor. It also ran Python modules to exfiltrate sensitive data from the compromised system. To disguise its malicious activities, the MSI displayed a fake installer progress bar, lulling the victim into a false sense of security while data theft occurred in the background.
Mitigation Strategies for Organizations
To counter this evolving threat, Cisco Talos researchers have recommended several key defensive measures. Traditional static domain blocking may prove insufficient, as completely blocking n8n[.]cloud could disrupt legitimate business operations that rely on the platform for workflow automation. Instead, organizations should focus on implementing behavioral detection mechanisms.
These behavioral detection systems should be configured to trigger alerts when an unusually high volume of traffic is directed towards automation platform domains from unexpected internal sources. Additionally, security teams should flag any endpoint that attempts to communicate with AI automation platform domains not included in the organization’s approved workflow inventory. Such attempts could signal an active compromise or an unauthorized use of these tools for malicious purposes.
Sharing indicators of compromise (IOCs) is also vital. This includes specific webhook URL patterns, malicious file hashes, and known command-and-control domains. Platforms like Cisco Talos Intelligence can facilitate this crucial information exchange. Furthermore, organizations are urged to deploy AI-driven email security solutions capable of analyzing behavioral signals, rather than solely relying on reputation scores. This advanced analysis is essential for detecting threats that leverage otherwise trusted infrastructure.
The ongoing exploitation of n8n underscores the dynamic nature of cyber threats and the constant adaptation by threat actors. As AI and workflow automation tools become more ubiquitous, their potential for misuse will likely continue to be explored by malicious actors. Organizations must remain vigilant and adopt proactive, intelligence-driven security postures to defend against these sophisticated attacks, preparing for potential future campaigns that leverage similar exploitation techniques.