Surge in Malware and Phishing Attacks via n8n Webhooks: Analysis of Cloud Workflow Automation Abuse (2025-2026)

Since October 2025, cybercriminals have been actively exploiting the webhook functionality of the n8n workflow automation platform to deliver malware and conduct advanced phishing campaigns. By leveraging the trusted cloud infrastructure of n8n, attackers have been able to bypass traditional email security controls, automate malicious payload delivery, and perform device fingerprinting on victims. This abuse has resulted in a dramatic increase in phishing incidents, with a 686% surge in emails containing n8n webhook URLs observed between January 2025 and March 2026. The sophistication of these campaigns, which combine social engineering with technical exploitation of SaaS automation, poses a significant threat to organizations across all sectors.

The threat actors abusing n8n webhooks are primarily financially motivated cybercriminals, rather than state-sponsored advanced persistent threat (APT) groups. These actors demonstrate a high degree of technical proficiency, leveraging automation platforms to scale their operations and evade detection. The campaigns are characterized by opportunistic targeting, with attackers using generic phishing lures such as document sharing notifications or security alerts. There is evidence that multiple criminal groups are adopting this technique, as indicated by the diversity of payloads and infrastructure observed in the wild. The use of legitimate cloud services like n8n enables these actors to exploit the implicit trust organizations place in SaaS providers, making their campaigns more effective and harder to block.

The core of the attack involves the abuse of n8n's webhook feature, which allows users to create unique, publicly accessible URLs that trigger automated workflows. Attackers register accounts on the n8n cloud service, generating subdomains in the format .app.n8n.cloud. These subdomains host webhook endpoints that are embedded in phishing emails sent to potential victims.

Upon clicking a malicious n8n webhook link, the victim is typically redirected to a web page that may display a CAPTCHA or other benign-looking content to evade automated analysis. Interaction with the page triggers the download of a malicious payload, often an executable or MSI installer, from an external server. The payloads observed in these campaigns are frequently modified versions of legitimate Remote Monitoring and Management (RMM) tools, such as Datto RMM and ITarian Endpoint Management. These tools are abused to establish persistence, enable remote access, and facilitate lateral movement within the victim's environment.

In addition to malware delivery, some campaigns use n8n webhooks to perform device fingerprinting and victim tracking. This is achieved by embedding invisible images or tracking pixels in phishing emails, which, when loaded, send HTTP GET requests to the attacker's webhook endpoint. These requests leak metadata such as the victim's email address, IP address, and user agent, enabling targeted follow-up attacks.

The technical sophistication of these campaigns is further demonstrated by the use of short-lived or obfuscated domains for payload delivery, dynamic command-and-control (C2) infrastructure, and the chaining of multiple SaaS services to complicate attribution and takedown efforts.

Real-world exploitation of n8n webhooks has been prolific since late 2025. Security researchers from Cisco Talos and other organizations have documented a sharp increase in phishing emails containing n8n webhook URLs. These emails often masquerade as notifications about shared documents, invoices, or security alerts, enticing recipients to click on the embedded links.

Upon clicking, victims are taken to n8n-hosted pages that may present a CAPTCHA or other decoy content. After passing the CAPTCHA, the victim is prompted to download a file, which is typically a trojanized RMM installer. Once executed, the malware establishes persistence and connects to a remote C2 server, granting the attacker ongoing access to the compromised system.

In addition to direct malware delivery, attackers have used n8n webhooks for reconnaissance and tracking. By embedding tracking pixels in emails, they can determine which recipients have opened the message and gather information about their devices. This intelligence is used to prioritize high-value targets and tailor subsequent attacks.

The abuse of n8n webhooks is not limited to a single malware family or campaign. Multiple threat actors have adopted this technique, leading to a diverse array of payloads and tactics observed in the wild. The common thread is the exploitation of n8n's webhook infrastructure to bypass security controls and automate malicious operations.

The campaigns abusing n8n webhooks have targeted a broad spectrum of organizations, with a focus on sectors that rely heavily on email communication and SaaS platforms. Victims include enterprises in finance, healthcare, education, and government, as well as small and medium-sized businesses. The opportunistic nature of the phishing lures suggests that attackers are casting a wide net, but the use of tracking pixels and device fingerprinting enables them to identify and pursue high-value targets.

Geographically, the attacks have been observed in North America, Europe, and Asia-Pacific, reflecting the global reach of n8n's cloud service. There is no evidence of targeting based on language or region, indicating that the campaigns are primarily driven by financial motives rather than geopolitical considerations.

The use of legitimate RMM tools as payloads increases the likelihood of successful compromise, as these applications are often whitelisted or overlooked by security solutions. This, combined with the trusted reputation of n8n's cloud infrastructure, makes the campaigns particularly effective at evading detection and achieving initial access.

To defend against the abuse of n8n webhooks, organizations should implement a multi-layered security strategy. Email security solutions should be configured to detect and block messages containing links to *.app.n8n.cloud domains, unless there is a verified business need for such communications. Security teams should monitor network traffic for connections to suspicious n8n webhook URLs and external payload delivery domains.

Endpoint protection platforms should be updated to detect and block unauthorized installations of RMM tools such as Datto RMM and ITarian Endpoint Management. Regular audits of installed software can help identify and remove malicious or unauthorized remote access tools.

User awareness training is critical, as social engineering remains a key component of these campaigns. Employees should be educated about the risks of clicking on unexpected links, especially those purporting to be from trusted SaaS providers or containing CAPTCHAs and download prompts.

For organizations using self-hosted n8n instances, it is essential to upgrade to version 1.119.2 or later, as this release addresses the vulnerabilities exploited in these campaigns (see CVE-2025-65964 and n8n Security Advisory GHSA-wpqc-h9wp-chmq). Administrators should also review the configuration of webhook endpoints, restrict public access where possible, and exclude unnecessary nodes such as the Git Node, following n8n's security best practices.

Finally, organizations should maintain up-to-date threat intelligence feeds and collaborate with trusted partners to stay informed about emerging TTPs and indicators of compromise related to n8n webhook abuse.

The following sources provide additional technical details and context for the abuse of n8n webhooks:

Cisco Talos: The n8n n8mare (https://blog.talosintelligence.com/the-n8n-n8mare/), The Hacker News: n8n Webhooks Abused Since October 2025 (https://thehackernews.com/2026/04/n8n-webhooks-abused-since-october-2025.html), LetsDataScience: n8n Webhooks Deliver Malware in Phishing Campaigns (https://letsdatascience.com/news/n8n-webhooks-deliver-malware-in-phishing-campaigns-616f8be8), Cyber News Live LinkedIn Post (https://www.linkedin.com/posts/cyber-news-live_n8n-webhooks-abused-since-october-2025-to-activity-7450347640707272704-pukk), NVD: CVE-2025-65964 (https://nvd.nist.gov/vuln/detail/CVE-2025-65964), n8n Security Advisory GHSA-wpqc-h9wp-chmq (https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq), n8n Release Notes 1.119.2 (https://github.com/n8n-io/n8n/releases/tag/n8n%401.119.2), n8n Docs: Exclude Nodes (https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes), MITRE ATT&CK Techniques (https://attack.mitre.org/).

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help safeguard your organization, or for any questions regarding this advisory, please contact us at ops@rescana.com.

• Cybersecurity Incident Analysis