Back

Threat Actors Exploit n8n Webhooks for Malware Delivery and Phishing

Severity: High (Score: 64.5)

Sources: Rescana, Blog.Talosintelligence, Socprime, Scworld, Gbhackers

Summary

Cybercriminals are exploiting the n8n AI workflow automation platform to conduct phishing campaigns and deliver malware. Between October 2025 and March 2026, there was a 686% increase in phishing emails utilizing n8n-generated webhooks to deliver malicious payloads and collect device fingerprints. Attackers leverage n8n's webhook functionality, which allows them to send automated emails that appear to originate from trusted domains. These emails often contain links disguised as shared documents, leading users to download malware after completing a CAPTCHA. The malware includes modified versions of remote monitoring and management tools like Datto and ITarian. This trend highlights the growing misuse of legitimate automation tools for malicious purposes, posing a significant risk to organizations relying on such platforms. The current status indicates ongoing campaigns exploiting this vulnerability. Key Points: • n8n webhooks are being exploited for phishing and malware delivery. • Phishing emails embedding n8n links increased by 686% from January 2025 to March 2026. • Attackers use legitimate automation tools to bypass traditional security measures.

Key Entities

  • Data Exfiltration (attack_type)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Ransomware (attack_type)
  • CVE-2025-65964 (cve)
  • app.n8n.cloud (domain)
  • n8n.cloud (domain)
  • n8n.io (domain)
  • rescana.com (domain)
  • softr.io (domain)
  • Education (company)
  • Zapier (company)
  • Financial (industry)
  • Government (industry)
  • Healthcare (industry)
  • NWHStealer (malware)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1071.001 - Web Protocols (mitre_attack)
  • T1566.001 - Spearphishing Attachment (mitre_attack)
  • Anthropic Claude (platform)
  • ITarian RMM (platform)
  • N8n (platform)
  • OpenAI Gpt-4 (platform)
  • Slack (platform)
  • Claude (tool)
  • Gmail (tool)
  • Google Chrome (tool)
  • Google Sheets (tool)
  • Gpt-4 (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed