{ "Event": { "analysis": "1", "date": "2026-04-15", "extends_uuid": "", "info": "[Threat Intel] The n8n n8mare: How threat actors are misusing AI workflow automation", "protected": false, "publish_timestamp": "1776682906", "published": true, "threat_level_id": "3", "timestamp": "1776682906", "uuid": "55d9dc37-936f-4547-9f9b-e47e239c23aa", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#7c6ad9", "local": false, "name": "misp-galaxy:producer=\"Cisco Talos Intelligence Group\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#db2044", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1598.003\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#b672a4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#e00500", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Access Tools - T1219\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#a0d02a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing for Information - T1598\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#2613b0", "local": false, "name": "misp-galaxy:target-information=\"Taiwan\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#1b0068", "local": false, "name": "rectifyq:topic=\"cloud\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776308412", "to_ids": false, "type": "link", "uuid": "48fc2912-9545-4370-8004-030522eabac0", "value": "https://blog.talosintelligence.com/the-n8n-n8mare/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776308412", "to_ids": false, "type": "text", "uuid": "42bbdc7d-d61b-4e03-901a-6dfc3dd2f59e", "value": "Investigation reveals widespread abuse of n8n, an AI workflow automation platform, in sophisticated phishing campaigns from October 2025 through March 2026. Attackers exploit the platform's webhook functionality to deliver malware and fingerprint devices while bypassing security filters through trusted infrastructure. Email volume containing n8n webhook URLs increased by 686% between January 2025 and March 2026. Observed campaigns utilize CAPTCHA-protected pages to deliver remote access tools including modified Datto RMM and ITarian Endpoint Management software. The webhooks mask malicious payload sources behind legitimate n8n domains. Additional abuse cases involve tracking pixels embedded in emails for device fingerprinting. These attacks demonstrate how legitimate productivity and automation platforms can be weaponized, requiring behavioral detection approaches rather than simple domain blocking to protect organizational workflows." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776308412", "to_ids": false, "type": "text", "uuid": "334dc664-a980-4c1c-9ebb-b86f569d8489", "value": "Name: The n8n n8mare: How threat actors are misusing AI workflow automation\nAuthor: AlienVault\nAdversary: UAT-10362\nTags: [\"datto rmm\", \"phishing campaign\", \"n8n\", \"webhook abuse\", \"lucidrook\"]\nTgtd countries: [\"Taiwan\"]\nMlwr families: [\"LucidRook\", \"DownloadedOneDriveDocument.exe\", \"OneDrive_Document_Reader_pHFNwtka_installer.msi\"]\nAttack_ids: [\"T1053.005\", \"T1204.002\", \"T1566.002\", \"T1598.003\", \"T1566.001\", \"T1053\", \"T1219\", \"T1059\", \"T1102\", \"T1204\", \"T1059.001\", \"T1566\", \"T1027\", \"T1102.002\", \"T1598\", \"T1027.002\", \"T1105\"]\nIndustries: [\"NGO\", \"Education\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776308412", "to_ids": false, "type": "threat-actor", "uuid": "6c45d430-8dd1-40f3-a9eb-e901dc45f899", "value": "UAT-10362" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656612", "to_ids": true, "type": "url", "uuid": "cd06108e-0714-415d-9287-a90101f5414f", "value": "http://majormetalcsorp.com/Openfolder", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656633", "to_ids": true, "type": "url", "uuid": "059f92da-71c8-4b83-aa80-32999a75f7aa", "value": "http://monicasue.app.n8n.cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656654", "to_ids": true, "type": "url", "uuid": "9dacfd49-e3c2-4d59-9ad6-c57f4d9baa0f", "value": "http://onedrivedownload.zoholandingpage.com/my-workspace/DownloadedOneDrive", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656675", "to_ids": true, "type": "url", "uuid": "66fbab8e-af52-4fd3-a52c-e9ed2a0fffa3", "value": "http://pagepoinnc.app.n8n.cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656696", "to_ids": true, "type": "domain", "uuid": "404e5cd9-e2b6-4021-8e35-10fd858fce75", "value": "majormetalcsorp.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656717", "to_ids": true, "type": "hostname", "uuid": "e19984ba-c111-4d54-b55c-dbd2f6778fc3", "value": "monicasue.app.n8n.cloud", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656738", "to_ids": true, "type": "hostname", "uuid": "1754a9e3-aeb1-41d2-97e0-191f3588ac8b", "value": "onedrivedownload.zoholandingpage.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656759", "to_ids": true, "type": "hostname", "uuid": "99368f21-01fc-4411-8feb-5817990cd5f0", "value": "pagepoinnc.app.n8n.cloud", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656781", "to_ids": true, "type": "hostname", "uuid": "13da03d2-88c8-4c43-9027-77af7c9beca8", "value": "tti.app.n8n.cloud", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656802", "to_ids": true, "type": "url", "uuid": "a2dcaf81-6cf9-4682-be55-2b19b776083b", "value": "https://onedrivedownload.zoholandingpage.com/my-workspace/DownloadedOneDrive", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656823", "to_ids": true, "type": "url", "uuid": "81d3f169-746c-4216-ac4b-0c66b144763c", "value": "https://majormetalcsorp.com/Openfolder", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656844", "to_ids": true, "type": "url", "uuid": "2d94774d-44bc-477a-87b2-d14ed57c6c78", "value": "https://pagepoinnc.app.n8n.cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656865", "to_ids": true, "type": "url", "uuid": "99bfab36-bf80-47aa-8456-d6201d3956e5", "value": "https://monicasue.app.n8n.cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776656886", "uuid": "f794d80a-b1f7-491c-9c57-62ebe9600bcb", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776656886", "to_ids": true, "type": "md5", "uuid": "0619457d-c3fc-4008-82d0-0ce5b67f4107", "value": "1a37b674ed29c877890834e9aba616d9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776654501", "to_ids": true, "type": "sha1", "uuid": "b93e52a6-343e-4ec2-89d5-cffc2474b001", "value": "ea5d2096a2ef3dfe4fb870bd1f0270efaea993a6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776654501", "to_ids": true, "type": "sha256", "uuid": "a06685f1-5e6f-4d8b-a79d-7d4f56026a60", "value": "7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776654318", "to_ids": true, "type": "ssdeep", "uuid": "c4b7bc0d-a4e8-4dcb-896f-29cf47ceb684", "value": "1572864:7UorGQf6/f/wEtBJhsVViVS1SVbF2QdapcL5MNK2Ji2oNWX8mR2F71H0:JrGHwmCDqbVbIQdb5MHoNWFR2F71U" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776654318", "to_ids": false, "type": "size-in-bytes", "uuid": "4dba088c-1ad5-4fcb-82c2-53b6649df107", "value": "114102272" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776654318", "to_ids": true, "type": "vhash", "uuid": "248540c8-d6a0-49dc-ba98-87f9013cbdc3", "value": "5dbc17ed37a6e98f93a9fc8966d583bd" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776654318", "to_ids": true, "type": "filename", "uuid": "bfee6047-4fc8-46ff-a6c4-d6c7dc4fab13", "value": "Adobe-Reader-Installer.msi" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 18/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776654318", "to_ids": false, "type": "text", "uuid": "480250c5-d413-4c57-94a3-b452aad53481", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:4/62\nFirst Submission:2026-01-09T23:17:00.000000+00:00\nLast Submission:2026-04-19T21:54:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776656907", "uuid": "260f6747-4dcd-483f-a397-69245478dc12", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776656907", "to_ids": true, "type": "md5", "uuid": "bb6a9b45-0acf-4309-a81b-18ea918108f7", "value": "629ce6eb0387a8f72d72d43fa6d74521", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776654502", "to_ids": true, "type": "sha1", "uuid": "f419951f-923a-4a26-9f2f-4f1783377613", "value": "4fc85d62d4ecbb29de2dd2a0547bd0f0e38696df", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776654502", "to_ids": true, "type": "sha256", "uuid": "64949580-4117-4ad3-9307-2e4c4800b6c0", "value": "93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776654340", "to_ids": true, "type": "ssdeep", "uuid": "1330223b-ee3e-450a-a602-635e2525dde3", "value": "196608:laZk+wqP+CHD4a+KFwUUUx9Y2NPFOsti7A95rIUsFp29XaIT030Hy0SarlZr8s2J:hnVmzZFw5S9pE7Asjp29qIT0jarlZr8N" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776654340", "to_ids": false, "type": "size-in-bytes", "uuid": "7186abe8-1e56-4fb2-8382-806b6df50fe5", "value": "11056056" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776654340", "to_ids": true, "type": "vhash", "uuid": "bf597809-08db-4037-bc05-156a90bb1373", "value": "0170766d157c0d5d0d60a043z8003a7z47z62z3efz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776654340", "to_ids": true, "type": "filename", "uuid": "c44b69c4-ab9a-43d1-8ef0-d7ce931b60a2", "value": "DownloadedOneDriveDocument (1).exe" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 19/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776654340", "to_ids": false, "type": "text", "uuid": "bdc09ae4-bfa2-4f06-bc1a-f7a94be563a5", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:23/72\nFirst Submission:2026-03-20T15:32:34.000000+00:00\nLast Submission:2026-03-25T15:40:55.000000+00:00" } ] } ] } }