Cybercriminals have been exploiting the n8n AI workflow automation platform since October 2025 to deliver malware and conduct device fingerprinting through sophisticated phishing campaigns. By leveraging n8n's legitimate infrastructure, attackers bypass traditional security filters, turning a productivity tool into a vehicle for malicious payloads.

Key Takeaways

• Threat actors are weaponizing n8n webhooks for phishing campaigns.

• Malware payloads and device fingerprinting are delivered via trusted n8n subdomains.

• This abuse bypasses conventional security measures by using legitimate infrastructure.

• The trend has seen a significant increase in malicious emails since late 2025.

Exploiting Trusted Infrastructure

n8n is a popular platform that allows users to connect various web applications and AI services to automate tasks. Users can create developer accounts, which provision unique subdomains under the namespace. These subdomains, being part of a recognized service, lend an air of legitimacy to any traffic originating from them.

Attackers have been abusing n8n's URL-exposed webhooks, which act as a "reverse API" to receive real-time data. When a webhook URL is accessed, it triggers subsequent workflow steps. In phishing attacks, the recipient's browser acts as the receiving application, processing the output as a web page.

Malware Delivery Campaigns

One observed campaign involved phishing emails disguised as shared Microsoft OneDrive documents. Clicking a malicious n8n webhook link led users to a CAPTCHA page. Upon completion, a malicious payload, such as an executable file named "DownloadedOneDriveDocument.exe," was downloaded. This payload installed modified versions of legitimate Remote Monitoring and Management (RMM) tools like Datto or ITarian Endpoint Management, establishing persistent connections to command-and-control servers.

Another campaign delivered a weaponized Microsoft Windows Installer (MSI) file, which also installed an RMM tool, acting as a backdoor to exfiltrate data. The entire process, including the download, appeared to originate from the trusted n8n domain due to its encapsulation within the platform's JavaScript.

Device Fingerprinting

Beyond malware delivery, n8n webhooks are also being used for device fingerprinting. Attackers embed invisible tracking pixels within emails, hosted on n8n webhook URLs. When an email client loads these pixels, it sends an HTTP GET request to the n8n URL, including tracking parameters like the victim's email address. This allows attackers to identify and profile recipients, potentially for future exploitation.

Increased Activity and Recommendations

Security researchers noted a substantial increase in emails containing n8n webhook URLs, with volumes in March 2026 being significantly higher than in January 2025. This trend highlights the growing abuse of legitimate automation platforms for malicious purposes.

To counter these threats, security teams are advised to move beyond simple domain blocking and implement behavioral detection. Monitoring for unusual traffic volumes directed towards automation platforms from unexpected sources, and flagging endpoints attempting to communicate with unauthorized n8n subdomains, are crucial steps. Collaborative intelligence sharing and robust AI-driven email security solutions are also recommended.

By staying vigilant and adopting safe browsing practices, users can significantly reduce their exposure to these evolving threats. As cyber threats continue to evolve, your security strategy needs to evolve with them. BetterWorld Technology delivers adaptive cybersecurity solutions designed to keep your business secure while supporting innovation. Connect with us today to schedule a personalized consultation.

Sources

• n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails, The Hacker News.

• How threat actors are misusing AI workflow automation, Cisco Talos Blog.

• Hackers Exploit n8n Webhooks to Spread Malware, GBHackers News.

• Hackers Abuse n8n AI Workflow Automation to Deliver Malware Through Trusted Webhooks, CyberSecurityNews.

• n8n Webhooks Deliver Malware in Phishing Campaigns, Let's Data Science.