Threat Actors Misuse n8n Automation for Malware Delivery

Severity: High (Score: 66.5)

Sources: Blog.Talosintelligence, Gbhackers, Cybersecuritynews

Summary

Cybercriminals are exploiting the n8n AI workflow automation platform to deliver malware through phishing emails. This campaign has seen a significant increase in the use of n8n-generated webhooks, with a reported 686% rise in such emails from January 2025 to March 2026. The attackers leverage these webhooks to mask the source of malicious payloads, making them appear as legitimate communications. The abuse of n8n has been linked to device fingerprinting and malware distribution, affecting users who interact with these automated emails. Security analysts have observed this trend growing since October 2025, indicating a shift in how threat actors utilize legitimate tools for malicious purposes. As of April 2026, the situation remains critical, with ongoing investigations into the extent of the impact and potential mitigation strategies. Key Points: • n8n webhooks are being exploited to deliver malware via phishing emails. • There was a 686% increase in n8n webhook-related emails from January 2025 to March 2026. • The campaign has been active since October 2025, affecting users of the n8n platform.

Key Entities

• Data Exfiltration (attack_type)
• Malware (attack_type)
• Phishing (attack_type)
• n8n.cloud (domain)
• n8n.io (domain)
• softr.io (domain)
• tti.app (domain)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• T1566.002 - Spearphishing Link (mitre_attack)
• T1566 - Phishing (mitre_attack)
• Anthropic Claude (platform)
• N8n (platform)
• OpenAI Gpt-4 (platform)
• Slack (platform)
• Windows (platform)
• Gmail (tool)
• Google Sheets (tool)
• OneDrive (tool)
• Armadillo Anti-analysis Packer (tool)
• Datto RMM Tool (tool)
• Zapier (company)