The n8n N8mare: How Threat Actors are Misusing AI Workflow Automation

    Thursday, April 16, 2026 In: Threat Research Print

    Date: 04/16/2026

    Severity: High

    Summary

    Threat actors are abusing AI workflow automation platforms like n8n to conduct sophisticated phishing campaigns by sending automated emails that deliver malware and fingerprint victim devices. By leveraging trusted services and integrations with tools like Slack, Gmail, and AI models, attackers can bypass traditional security controls and scale their operations. This activity highlights how legitimate automation platforms are being weaponized to enable stealthy and persistent malicious campaigns. 

    Indicators of Compromise (IOC) List

    Domains/Urls

    https://onedrivedownload.zoholandingpage.com/my-workspace/DownloadedOneDrive 

    https://majormetalcsorp.com/Openfolder 

    https://pagepoinnc.app.n8n.cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496 

    https://monicasue.app.n8n.cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab

    Hash

    93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a 

    7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://monicasue.app.n8n.cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab" or url like "https://monicasue.app.n8n.cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab" or siteurl like "https://monicasue.app.n8n.cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab" or domainname like "https://majormetalcsorp.com/Openfolder" or url like "https://majormetalcsorp.com/Openfolder" or siteurl like "https://majormetalcsorp.com/Openfolder" or domainname like "https://onedrivedownload.zoholandingpage.com/my-workspace/DownloadedOneDrive" or siteurl like "https://onedrivedownload.zoholandingpage.com/my-workspace/DownloadedOneDrive" or url like "https://onedrivedownload.zoholandingpage.com/my-workspace/DownloadedOneDrive" or domainname like "https://pagepoinnc.app.n8n.cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496" or siteurl like "https://pagepoinnc.app.n8n.cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496" or url like "https://pagepoinnc.app.n8n.cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496"

    Detection Query 2 :

    sha256hash IN ("7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0","93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a")

    Reference:    

    https://blog.talosintelligence.com/the-n8n-n8mare/                  


    Tags

    MalwareAIPhishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.