2026-05-136 minhigh

Intelligence Center

Threat actors are increasingly abusing the n8n AI workflow automation platform by leveraging its webhook functionality to bypass traditional security filters. These webhooks are embedded in phishing emails to serve CAPTCHA-protected malware payloads, including modified Datto and ITarian RMM tools, or to deploy invisible tracking pixels for device fingerprinting and reconnaissance.

Sens:▲ 24hConf:highAnalyzed:2026-04-15reports

Authors: Sean Gallagher, Omid Mirzaei

ActorsDatto RMM Abuse CampaignITarian Endpoint Management Abuse Campaign

Webhooks Phishing n8n RMM Abuse Tracking Pixel

Source:Cisco Talos

IOCs · 6

domain
centrastage[[.]]netDatto RMM relay domain used by the modified RMM payload to establish a C2 connection.
sha256
7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0Hash of the malicious payload delivered via the n8n webhook campaign.
sha256
93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75aHash of the malicious payload delivered via the n8n webhook campaign.
url
hxxps[://]monicasue[.]app[.]n8n[.]cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dabMalicious n8n webhook URL serving a CAPTCHA-protected page and malware payload.
url
hxxps[://]onedrivedownload[.]zoholandingpage[.]com/my-workspace/DownloadedOneDriveExternal host URL used to download the malicious payload after CAPTCHA completion.
url
hxxps[://]pagepoinnc[.]app[.]n8n[.]cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496Malicious n8n webhook URL serving a CAPTCHA-protected page and malware payload.

Key Takeaways

Threat actors are abusing the n8n AI workflow automation platform by leveraging its webhooks to bypass security filters and deliver malware.
Phishing emails use n8n webhook URLs to serve dynamic, CAPTCHA-protected HTML pages that download malicious payloads.
Attackers are deploying modified, legitimate Remote Monitoring and Management (RMM) tools, specifically Datto RMM and ITarian Endpoint Management, as backdoors.
Invisible tracking pixels embedded in emails point to n8n webhooks to track email opens and fingerprint recipient devices.
The attack chain utilizes NSIS executables, malicious DLL registration, and PowerShell for persistence and C2 communication.

Affected Systems

Windows
Email Clients

Attack Chain

The attack begins with a phishing email containing an n8n webhook URL. Clicking the link directs the victim to a CAPTCHA-protected webpage hosted via the webhook, which dynamically serves a malicious download (an NSIS executable or MSI file) upon completion. The downloaded dropper installs a modified legitimate RMM tool (Datto or ITarian), registers malicious DLLs and services for persistence, and executes PowerShell scripts to establish a connection to a remote C2 server for backdoor access and data exfiltration.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No
Platforms: Cisco Talos GitHub Repository

Cisco Talos provides a list of IOCs on their GitHub repository and recommends implementing behavioral detection for anomalous traffic to AI automation platforms.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can effectively monitor the execution of msiexec.exe, the creation of scheduled tasks or services via PowerShell, and the anomalous behavior of RMM tools. Network Visibility: Medium — Webhook traffic is encrypted (HTTPS) and hosted on legitimate n8n cloud infrastructure, making it difficult to distinguish from benign traffic without behavioral baselining or SSL inspection. Detection Difficulty: Moderate — The reliance on legitimate infrastructure (n8n) and legitimate administrative tools (Datto, ITarian) makes static signature-based detection prone to false positives. Detection requires correlating process ancestry and behavioral anomalies.

Required Log Sources

Process Creation (Event ID 4688)
PowerShell Operational Logs (Event ID 4104)
Network Connection Logs
DNS Query Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Endpoints that do not typically utilize AI workflow automation tools are making high volumes of HTTP GET requests to n8n.cloud subdomains.	Network Connection Logs / DNS Query Logs	Delivery	Medium
Browsers or email clients are spawning processes that execute newly downloaded .exe or .msi files with names mimicking documents (e.g., OneDriveDocument*).	EDR / Process Creation	Execution	Low
Suspicious PowerShell commands are creating scheduled tasks or services immediately following the installation of Datto or ITarian RMM binaries from non-standard directories.	EDR / PowerShell Operational Logs	Persistence	Low

Control Gaps

Domain-based email filtering (due to the use of trusted n8n domains)
Static AV signatures (due to packed payloads and the use of legitimate RMM tools)

Key Behavioral Indicators

High volume of traffic to n8n.cloud from unexpected internal sources
Process ancestry showing browsers spawning suspicious .exe or msiexec.exe
Unexpected execution or installation of Datto or ITarian RMM binaries

False Positive Assessment

Medium. Blocking all traffic to n8n.cloud will disrupt legitimate business workflows that rely on the platform. Additionally, legitimate administrative use of Datto or ITarian RMM tools could trigger false positive alerts if not properly baselined.

Recommendations

Immediate Mitigation

Block the specific malicious n8n webhook URLs and payload delivery domains identified in the IOCs.
Search endpoint telemetry for the provided file hashes and file names (e.g., DownloadedOneDriveDocument.exe).

Infrastructure Hardening

Implement behavioral network monitoring to alert on anomalous traffic to AI automation platforms like n8n.cloud from unauthorized endpoints.
Restrict the execution of unauthorized RMM tools within the environment using application control policies.

User Protection

Deploy AI-driven email security solutions capable of analyzing email context and intent beyond static domain reputation.
Ensure EDR is deployed and configured to monitor PowerShell execution, scheduled task creation, and msiexec.exe activity.

Security Awareness

Train users to recognize phishing attempts that use CAPTCHAs to mask malicious downloads.
Educate employees on the risks of downloading 'documents' that are actually executable files (.exe, .msi).

MITRE ATT&CK Mapping

T1566.002 - Phishing: Spearphishing Link
T1583.006 - Acquire Infrastructure: Web Services
T1218.007 - System Binary Proxy Execution: Msiexec
T1059.001 - Command and Scripting Interpreter: PowerShell
T1059.006 - Command and Scripting Interpreter: Python
T1053.005 - Scheduled Task/Job: Scheduled Task
T1543.003 - Create or Modify System Process: Windows Service
T1219 - Remote Access Software
T1027 - Obfuscated Files or Information

Additional IOCs

Domains:
- tti[.]app[.]n8n[[.]]cloud - Legitimate n8n cloud subdomain structure abused by threat actors.
- majormetalcsorp[[.]]com - Domain associated with the phishing campaigns.
Urls:
- hxxps[://]majormetalcsorp[.]com/Openfolder - Malicious URL associated with the phishing campaigns.
- hxxps://onedrivedownload[.]zoholandingpage[.]com/my-workspace/DownloadedOneDriveDocument.exe - Direct download URL for the malicious executable, extracted from the HTML source code.
File Paths:
- DownloadedOneDriveDocument.exe - File name of the malicious NSIS executable posing as a self-extracting archive.
- OneDrive_Document_Reader_pHFNwtka_installer.msi - File name of the malicious MSI payload protected by the Armadillo packer.
Command Lines:
- Purpose: Executes the maliciously modified ITarian Endpoint RMM installer. | Tools: msiexec.exe | Stage: Execution | msiexec.exe /i OneDrive_Document_Reader_pHFNwtka_installer.msi