Intelligence Center

Key Takeaways

• Overall CVE counts and Known Exploited Vulnerabilities (KEVs) continued to rise in Q1 2026, with networking gear accounting for 20% of KEVs.
• Attackers are increasingly abusing the n8n AI workflow automation platform via URL-exposed webhooks to deliver malware and bypass traditional security filters.
• A newly discovered botnet named 'PowMix' is targeting the Czech workforce, utilizing random beaconing intervals to evade network signature detections.
• Legacy vulnerabilities remain a significant threat, with roughly 25% of tracked CVEs dating to 2024 or earlier, and some dating back to 2008/2009.
• AI models are demonstrating advanced capabilities, with tools like Mythos Preview showing the ability to identify and exploit zero-day vulnerabilities.

Affected Systems

• n8n workflow automation platform
• Networking gear
• Adobe Acrobat and Reader (Windows/macOS)
• Android applications (Gemini API exposure)

Attack Chain

Threat actors are leveraging software supply chain vulnerabilities and abusing legitimate AI workflow automation platforms like n8n. By weaponizing URL-exposed webhooks, attackers mask malicious payloads as standard data streams to bypass reputation-based filtering and deliver remote access trojans. Concurrently, other campaigns like the PowMix botnet utilize random beaconing intervals to maintain persistent, undetected communication with command and control infrastructure.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but emphasizes the need for behavioral detection alerting on anomalous traffic patterns directed toward automation platforms.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the execution of dropped payloads (like the listed coinminers and injectors) and anomalous child processes from automation tools, but may miss the initial webhook abuse. Network Visibility: High — Network telemetry is crucial for identifying anomalous traffic patterns to automation platforms and detecting the random beaconing of the PowMix botnet. Detection Difficulty: Moderate — Abuse of legitimate platforms like n8n blends in with normal administrative or workflow traffic, requiring behavioral baselining rather than static IOC matching.

Required Log Sources

• Network flow logs
• DNS query logs
• Web proxy logs
• Endpoint process execution logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for anomalous or high-volume inbound/outbound network connections involving n8n webhook URLs that deviate from established internal workflow patterns.	Web proxy/Network logs	Initial Access/Execution	Medium
Identify endpoints exhibiting random, periodic beaconing behavior to unknown or newly observed domains, potentially indicating PowMix botnet activity.	Network flow/DNS logs	Command and Control	Medium

Control Gaps

• Static domain blocking
• Traditional reputation-based filtering

Key Behavioral Indicators

• Anomalous traffic to automation platforms
• Random beaconing intervals
• Unexpected execution of scripts (content.js) or unknown binaries (VID001.exe)

False Positive Assessment

• Medium

Recommendations

Immediate Mitigation

• Restrict endpoint communication with automation services (like n8n) to explicitly authorized internal workflows.
• Block the provided SHA256 and MD5 hashes associated with prevalent malware.

Infrastructure Hardening

• Implement behavioral detection for anomalous traffic patterns directed toward automation platforms.
• Ensure comprehensive visibility into all running assets to improve patch management and identify legacy vulnerabilities.

User Protection

• Deploy AI-driven email security solutions to analyze the semantic intent of incoming messages.

Security Awareness

• Educate users on the risks of downloading software from unofficial sources, such as fake AI model websites (e.g., fake Claude sites).

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1071.001 - Application Layer Protocol: Web Protocols
• T1566.002 - Phishing: Spearphishing Link
• T1105 - Ingress Tool Transfer
• T1059.007 - Command and Scripting Interpreter: JavaScript

Additional IOCs

• File Hashes:
  • 3c1dbc3f56e91cc79f0014850e773a7f12bbfef06680f08f883b2bf12873eccc (SHA256) - Prevalent malware file detected as W32.3C1DBC3F56-90.SBX.TG
  • 2915b3f8b703eb744fc54c81f4a9c67f (MD5) - Prevalent malware file detected as Win.Worm.Coinminer::1201**
  • aac3165ece2959f39ff98334618d10d9 (MD5) - Prevalent malware file detected as W32.Injector:Gen.21ie.1201
  • c2efb2dcacba6d3ccc175b6ce1b7ed0a (MD5) - Prevalent malware file detected as Auto.90B145.282358.in02
  • 7bdbd180c081fa63ca94f9c22c457376 (MD5) - Prevalent malware file detected as Win.Dropper.Miner::95.sbx.tg**
  • 41444d7018601b599beac0c60ed1bf83 (MD5) - Prevalent malware file detected as W32.38D053135D-95.SBX.TG
  • d749e0f8f2cd4e14178a787571534121 (MD5) - Prevalent malware file detected as W32.3C1DBC3F56-90.SBX.TG
• File Paths:
  • VID001.exe - Example filename associated with Win.Worm.Coinminer::1201**
  • d4aa3e7010220ad1b458fac17039c274_63_Exe.exe - Example filename associated with W32.Injector:Gen.21ie.1201
  • APQ9305.dll - Example filename associated with Auto.90B145.282358.in02
  • d4aa3e7010220ad1b458fac17039c274_62_Exe.exe - Example filename associated with Win.Dropper.Miner::95.sbx.tg**
  • content.js - Example filename associated with W32.38D053135D-95.SBX.TG
  • Unconfirmed 280575.crdownload.exe - Example filename associated with W32.3C1DBC3F56-90.SBX.TG