When Hackers Don't Need to Hack: How n8n Became a Global Attack Weapon

Overview

Cisco Talos analysts have just released a study on a large-scale attack campaign exploiting the n8n workflow automation platform to distribute malware and collect device information (fingerprinting). From January 2025 to March 2026, the number of emails containing malicious webhook links from n8n surged by 686%, indicating that attack groups are actively shifting to abusing trusted service infrastructure (SaaS) to bypass traditional security layers.

The greatest risk lies in malware being executed through "shadow" automation processes—often beyond the control of IT teams. Victims not only have their information stolen but also have unauthorized remote management tools (RMM) installed, setting the stage for future ransomware or espionage attacks. It is crucial to urgently review and tightly control connections to unofficial n8n domains within the enterprise network infrastructure.

What is n8n?

n8n is a workflow automation platform similar to Zapier, specializing in connecting applications and services through APIs (REST/HTTP). This platform is attracting a large number of users due to its self-hosting capability and built-in tools for creating agentic AI workflows.

Architecturally, the n8n system is built on three core components:

Workflows: The overall blueprint of an automation process.
Nodes: Functional blocks representing a specific task or application service. These often include Trigger Nodes (initiating a flow when an event occurs, such as capturing an HTTP request sent to a Webhook) and Action Nodes (executing tasks like uploading files, sending Slack messages, or calling an API).
Connections: The pathways that transfer locally formatted JSON data from one Node to the next.

For the commercial cloud version (n8n.cloud), users who register an account are immediately assigned a random subdomain in the format [custom-name].app.n8n[.]cloud. Having a URL within this trusted domain group provides a huge strategic advantage for attackers: they can host payloads or phishing pages that easily bypass URL reputation-based filtering systems of email gateways. Similar to previous campaigns abusing Softr.io, this tactic exposes an inherent weakness in network security design: the implicit trust in popular SaaS domains.

Timeline & Attack Flow

The campaign was first noted around October 2025 and peaked in the first quarter of 2026. Attack groups used n8n as a "delivery vehicle" due to its flexibility and high automation capability.

Attack chain (Kill Chain) proceeds as follows: Initial Access: Send phishing emails pretending to share a folder on Microsoft OneDrive. Redirection: The link in the email leads to an n8n webhook (usually in the format [subdomain].app.n8n[.]cloud/webhook/...).

Evasion: The website displays a CAPTCHA code to trick sandbox filters and ensure real human interaction. Malware Delivery: After solving the CAPTCHA, a JavaScript code is triggered to download the payload from an external server. Since this process occurs within the session with the n8n.cloud domain, the browser often considers it a safe download. Execution: The victim opens the executable file (.exe or .msi) and inadvertently installs RMM software like Datto or ITarian.

Technical analysis

The campaign exploiting n8n demonstrates sophistication in combining evasion techniques (Defense Evasion) with legitimate automation tools. Below is a detailed analysis of each stage in the infection chain:

Architecture Abusing n8n Webhook & Redirection Chain

Instead of using a self-built infrastructure (self-hosted C2), the attacker configures Webhook Nodes on n8n to act as a Traffic Distribution System (TDS).

When the victim clicks on the Webhook link (e.g., hxxps://monicasue[.]app[.]n8n[.]cloud/webhook/download...), n8n logs the trigger event and executes the workflow.
Unlike typical phishing URLs, email security filters (such as Proofpoint, Mimecast) often classify n8n.cloud as a safe domain with a high reputation, belonging to legitimate cloud services, allowing traffic to pass through enterprise networks without being blocked.

Fingerprinting through Tracking Pixel

Before the victim even clicks on the malicious download link, the attacker successfully collects information about their environment through a Tracking Pixel.

A transparent 1x1 pixel image is embedded in the HTML code of the phishing email. The image source (src) is directly pointed to another n8n Webhook endpoint of the attack group.
When the victim's browser or mail application automatically loads the image, an HTTP GET request is sent to this Webhook.
On the n8n backend, the attacker easily extracts essential metadata from the HTTP Header, including the public IP address, User-Agent parameters (to identify the operating system and browser version), and the activity status of the victim's email. This data helps them filter targets and eliminate IPs belonging to security research centers (sandbox evasion).

Sandbox Evasion Technique

To ensure the malware is only downloaded by real humans and bypasses automated file scanning systems (Dynamic Malware Analysis/Sandbox), the n8n Webhook returns the interface of a fake CAPTCHA authentication page.

The victim's browser establishes an encrypted connection (HTTPS/TLS) with the n8n.cloud server. The downloaded content is a static HTML page containing a custom-developed CAPTCHA system.
If the email gateway activates link-crawling/sandbox mechanisms, it will get stuck at the CAPTCHA page due to the lack of user interaction (mouse focus, keystroke) to extract the file.
Only when the victim manually solves the CAPTCHA is a hidden JavaScript snippet granted execution rights. It triggers the XMLHttpRequest or Fetch API to call an external C2 server (e.g., onedrivedownload[.]zoholandingpage[.]com) to retrieve the final payload URL and force the browser to download the executable file. At this point, the browser still considers the download prompt safe because it originates from a session with real interaction with the original n8n webpage.

Payload Mechanism: Weaponizing Datto RMM & ITarian

The attacker does not immediately deploy traditional trojans or ransomware. Instead, they exploit two legitimate Remote Monitoring and Management (RMM) solutions used by Managed Service Providers (MSPs) to hide within system processes, bypassing real-time detection techniques (Behavioral EDR/XDR).

Payload 1: Datto RMM (DownloadedOneDriveDocument.exe)

Characteristics: This is a WinRAR Self-Extracting (SFX) archive disguised as a confidential document file.
Mechanism: When executed in memory, this SFX file automatically extracts the AEMAgent.exe file into the Windows temporary directory and runs silently (Silent Install). AEMAgent.exe is the core process of Datto RMM.
Persistence & C2: Sau khi cài đặt, payload thiết lập các Scheduled Tasks của Windows trỏ đến thư mục Datto nhằm duy trì quyền phân tích (persistence). Đồng thời, nó khởi tạo kết nối TLS mã hóa liên tục trên cổng 443 đến cơ sở hạ tầng đám mây thực của Datto (thường là wildcard *.centrastage.net), tuy nhiên lại liên kết mã định danh (Node ID) thiết bị nạn nhân về bảng điều khiển (Dashboard) do kẻ tấn công kiểm soát. Lúc này, tin tặc có mức đặc quyền cao nhất (SYSTEM level) trên máy tính người dùng hợp pháp.

Payload 2: ITarian Endpoint Management (OneDrive_Document_Reader_installer.msi)

Characteristics: Using a more complex technique, the attacker wraps the .msi file with the well-known Armadillo packer. This use of a packer prevents antivirus programs from directly reading the file's static digital signature (Signature-based AV Evasion).
Mechanism: The MSI interface is designed to convincingly mimic the "OneDrive Document Reader" installation wizard. When the victim clicks Install and the graphical progress bar appears, the malware silently activates the ITarian Endpoint Manager installer in the background.
Post-exploitation Behavior: This tool drops a series of .dll library files and Python scripts. By exploiting the Python modules included with ITarian, hackers can establish connections to their own C2, preparing for internal data exfiltration or using the workstation as a pivot to attack the core servers of the enterprise's Active Directory.

Expert opinion

We consider this campaign a typical example of the trend "SaaS-to-SaaS Attacks." The misuse of low-code/no-code platforms and AI automation is not just a technical issue but also highlights vulnerabilities in corporate governance. Risks from Shadow Automation/AI: In an effort to boost productivity, employees often independently register and use tools like n8n, Zapier, or Softr.io without IT department approval. "Shadow Automation" creates a security blind spot: these accounts often lack MFA, are not monitored, and have access to sensitive data through APIs. Attackers are aware of this and are beginning to target businesses with lax automation infrastructures.

In Vietnam, where the wave of digital transformation and AI application is rapidly advancing, the absence of policies to control intermediary SaaS tools (Automation Governance) makes businesses attractive targets. Once attackers have embedded RMM tools like Datto or ITarian, they can remain undetected for extended periods, conduct lateral movement, and deploy ransomware at any time.

MITRE ATT&CK Mapping

Phase	Technique	ID
Initial Access	Phishing: Spearphishing Link	T1566.002
Execution	User Execution: Malicious File	T1204.002
Defense Evasion	Trusted Relationship Abuse (SaaS)	T1199
Command and Control	Remote Access Software	T1219
Exfiltration	Exfiltration Over C2 Channel	T1041

IOCs

File Hashes (SHA-256)

7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0

93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a

Network Indicators

hxxps[://]pagepoinnc[.]app[.]n8n[.]cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496

hxxps[://]monicasue[.]app[.]n8n[.]cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab

hxxps[://]onedrivedownload[.]zoholandingpage[.]com/my-workspace/DownloadedOneDrive

Recommendations

Immediate (0-24h)

Block network access from internal devices to all sub-domains *.app.n8n.cloud if the business does not use this service.
Review EDR logs to search for the presence of unfamiliar RMM tools (Datto, ITarian, AnyDesk, etc.) on user workstations outside of the IT department.

Short-term (1-7 days)

Conduct security awareness training, emphasizing the identification of phishing emails containing links to intermediary websites (such as n8n, Softr, Zoho Landing Page).
Set up alerts on the Email Security solution for emails containing webhook links or unapproved Automation platforms.

Long-term

Develop a SaaS & Automation Governance policy: Require centralized approval for all automation tools or AI workflows.
Transition to a Zero Trust model, strictly controlling API access and not automatically trusting requests from well-known cloud infrastructures..