Workflow-Automation — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/workflow-automation/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 15 Apr 2026 10:03:05 +0000n8n AI Workflow Automation Platform Abused for Malware Delivery and Device Fingerprintinghttps://feed.craftedsignal.io/briefs/2026-04-n8n-abuse/Wed, 15 Apr 2026 10:03:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-n8n-abuse/Threat actors are abusing the n8n AI workflow automation platform to deliver malware and fingerprint devices via phishing campaigns, bypassing traditional security filters by leveraging trusted infrastructure.Cisco Talos has observed a surge in the abuse of agentic AI workflow automation platforms, specifically n8n, in phishing campaigns between October 2025 and March 2026. Attackers are leveraging the trusted infrastructure of n8n to bypass traditional security filters and deliver malware or fingerprint devices. This involves embedding n8n webhook URLs in phishing emails, which redirect victims to malicious content served through the n8n platform. This technique effectively turns a productivity tool into a delivery mechanism for persistent remote access, highlighting the evolving tactics of threat actors exploiting legitimate services. Talos observed a 686% increase in emails containing n8n webhook URLs between January 2025 and March 2026, indicating the growing prevalence of this attack vector.

Attack Chain

  1. The attacker crafts a phishing email containing a malicious link.
  2. The link is an n8n webhook URL pointing to a workflow controlled by the attacker on a subdomain of tti.app.n8n[.]cloud.
  3. The victim receives the email and clicks the embedded n8n webhook URL, believing it to be a legitimate service.
  4. Clicking the link redirects the victim’s browser to the n8n platform, which triggers the pre-configured workflow.
  5. The n8n workflow serves an HTML page containing a CAPTCHA to the victim’s browser.
  6. After the victim completes the CAPTCHA, the webpage presents a download button, concealing the true source of the payload.
  7. Clicking the download button initiates the download of a malicious executable (e.g., “DownloadedOneDriveDocument.exe”) from an external host.
  8. The executable installs a modified version of Datto RMM, establishes a connection to a relay on centrastage[.]net, granting the attacker remote access and control over the compromised system.

Impact

The abuse of n8n for malware delivery and device fingerprinting can lead to significant compromise of targeted systems. Successful exploitation allows attackers to gain remote access via tools like the modified Datto RMM, enabling them to steal sensitive data, deploy ransomware, or conduct further malicious activities within the compromised network. The rise in n8n webhook URL usage in phishing emails, with a 686% increase in volume from January 2025 to March 2026, indicates a potentially widespread impact across various sectors.

Recommendation

  • Monitor email traffic for URLs containing tti.app.n8n[.]cloud and flag them as suspicious (IOC table).
  • Implement a detection rule to identify network connections to centrastage[.]net initiated by unusual processes (Sigma rule below).
  • Inspect process creation events for the execution of “DownloadedOneDriveDocument.exe” or similar filenames downloaded from n8n domains (Sigma rule below).
  • Block the domains tti.app.n8n[.]cloud and centrastage[.]net at the DNS resolver (IOC table).
]]>highadvisoryn8nphishingmalwareworkflow-automation