{"id":24404,"date":"2026-05-12T08:30:47","date_gmt":"2026-05-12T01:30:47","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=24404"},"modified":"2026-06-23T14:16:23","modified_gmt":"2026-06-23T07:16:23","slug":"when-hackers-dont-need-to-hack-how-n8n-became-a-global-attack-weapon","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/when-hackers-dont-need-to-hack-how-n8n-became-a-global-attack-weapon\/","title":{"rendered":"When Hackers don&#8217;t need to hack: How n8n became a global attack weapon"},"content":{"rendered":"<h2 id=\"overview\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Overview<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Cisco Talos analysts have just released a study on a large-scale attack campaign exploiting the n8n workflow automation platform to distribute malware and collect device information (fingerprinting). From January 2025 to March 2026, the number of emails containing malicious webhook links from n8n surged by 686%, indicating that attack groups are actively shifting to abusing trusted service infrastructure (SaaS) to bypass traditional security layers.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/1-1778519236.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24406\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/1-1778519236.png\" alt=\"1 1778519236\" width=\"1000\" height=\"554\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/1-1778519236.png 1000w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/1-1778519236-700x388.png 700w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">The greatest risk lies in malware being executed through &#8220;shadow&#8221; automation processes\u2014often beyond the control of IT teams. Victims not only have their information stolen but also have unauthorized remote management tools (RMM) installed, setting the stage for future ransomware or espionage attacks. It is crucial to urgently review and tightly control connections to unofficial n8n domains within the enterprise network infrastructure.<\/span><\/p>\n<h2 id=\"what-is-n8n\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">What is n8n?<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/2-1778519267.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24407\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/2-1778519267.png\" alt=\"2 1778519267\" width=\"985\" height=\"700\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/2-1778519267.png 985w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/2-1778519267-700x497.png 700w\" sizes=\"(max-width: 985px) 100vw, 985px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">n8n is a workflow automation platform similar to Zapier, specializing in connecting applications and services through APIs (REST\/HTTP). This platform is attracting a large number of users due to its self-hosting capability and built-in tools for creating agentic AI workflows.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Architecturally, the n8n system is built on three core components:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Workflows: The overall blueprint of an automation process.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Nodes: Functional blocks representing a specific task or application service. These often include Trigger Nodes (initiating a flow when an event occurs, such as capturing an HTTP request sent to a Webhook) and Action Nodes (executing tasks like uploading files, sending Slack messages, or calling an API).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Connections: The pathways that transfer locally formatted JSON data from one Node to the next.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/3-1778519288.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24408\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/3-1778519288.png\" alt=\"3 1778519288\" width=\"1000\" height=\"176\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/3-1778519288.png 1000w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/3-1778519288-700x123.png 700w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">For the commercial cloud version (n8n.cloud), users who register an account are immediately assigned a random subdomain in the format [custom-name].app.n8n[.]cloud. Having a URL within this trusted domain group provides a huge strategic advantage for attackers: they can host payloads or phishing pages that easily bypass URL reputation-based filtering systems of email gateways. Similar to previous campaigns abusing Softr.io, this tactic exposes an inherent weakness in network security design: the implicit trust in popular SaaS domains.<\/span><\/p>\n<h2 id=\"timeline-amp-attack-flow\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Timeline &amp; Attack Flow<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">The campaign was first noted around October 2025 and peaked in the first quarter of 2026. Attack groups used n8n as a &#8220;delivery vehicle&#8221; due to its flexibility and high automation capability.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/4-1778519921.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24409\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/4-1778519921.png\" alt=\"4 1778519921\" width=\"1536\" height=\"1024\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/4-1778519921.png 1536w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/4-1778519921-700x467.png 700w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/4-1778519921-406x271.png 406w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Attack chain (Kill Chain) proceeds as follows: Initial Access: Send phishing emails pretending to share a folder on Microsoft OneDrive. Redirection: The link in the email leads to an n8n webhook (usually in the format [subdomain].app.n8n[.]cloud\/webhook\/&#8230;).<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Evasion: The website displays a CAPTCHA code to trick sandbox filters and ensure real human interaction. Malware Delivery: After solving the CAPTCHA, a JavaScript code is triggered to download the payload from an external server. Since this process occurs within the session with the n8n.cloud domain, the browser often considers it a safe download. Execution: The victim opens the executable file (.exe or .msi) and inadvertently installs RMM software like Datto or ITarian.<\/span><\/p>\n<h2 id=\"technical-analysis\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Technical analysis<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/5-1778519983.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24410\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/5-1778519983.png\" alt=\"5 1778519983\" width=\"1000\" height=\"475\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/5-1778519983.png 1000w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/5-1778519983-700x333.png 700w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">The campaign exploiting n8n demonstrates sophistication in combining evasion techniques (Defense Evasion) with legitimate automation tools. Below is a detailed analysis of each stage in the infection chain:<\/span><\/p>\n<h3 id=\"architecture-abusing-n8n-webhook-amp-redirection-chain\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Architecture Abusing n8n Webhook &amp; Redirection Chain<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Instead of using a self-built infrastructure (self-hosted C2), the attacker configures Webhook Nodes on n8n to act as a Traffic Distribution System (TDS).<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">When the victim clicks on the Webhook link (e.g., hxxps:\/\/monicasue[.]app[.]n8n[.]cloud\/webhook\/download&#8230;), n8n logs the trigger event and executes the workflow.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Unlike typical phishing URLs, email security filters (such as Proofpoint, Mimecast) often classify n8n.cloud as a safe domain with a high reputation, belonging to legitimate cloud services, allowing traffic to pass through enterprise networks without being blocked.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/6-1778520001.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24411\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/6-1778520001.png\" alt=\"6 1778520001\" width=\"1774\" height=\"837\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/6-1778520001.png 1774w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/6-1778520001-700x330.png 700w\" sizes=\"(max-width: 1774px) 100vw, 1774px\" \/><\/a><\/span><\/p>\n<h3 id=\"fingerprinting-through-tracking-pixel\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Fingerprinting through Tracking Pixel<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Before the victim even clicks on the malicious download link, the attacker successfully collects information about their environment through a Tracking Pixel.<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">A transparent 1&#215;1 pixel image is embedded in the HTML code of the phishing email. The image source (src) is directly pointed to another n8n Webhook endpoint of the attack group.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">When the victim&#8217;s browser or mail application automatically loads the image, an HTTP GET request is sent to this Webhook.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">On the n8n backend, the attacker easily extracts essential metadata from the HTTP Header, including the public IP address, User-Agent parameters (to identify the operating system and browser version), and the activity status of the victim&#8217;s email. This data helps them filter targets and eliminate IPs belonging to security research centers (sandbox evasion).<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/7-1778520031.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24412\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/7-1778520031.png\" alt=\"7 1778520031\" width=\"1000\" height=\"750\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/7-1778520031.png 1000w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/7-1778520031-700x525.png 700w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/a><\/span><\/p>\n<h3 id=\"sandbox-evasion-technique\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Sandbox Evasion Technique<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">To ensure the malware is only downloaded by real humans and bypasses automated file scanning systems (Dynamic Malware Analysis\/Sandbox), the n8n Webhook returns the interface of a fake CAPTCHA authentication page.<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">The victim&#8217;s browser establishes an encrypted connection (HTTPS\/TLS) with the n8n.cloud server. The downloaded content is a static HTML page containing a custom-developed CAPTCHA system.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">If the email gateway activates link-crawling\/sandbox mechanisms, it will get stuck at the CAPTCHA page due to the lack of user interaction (mouse focus, keystroke) to extract the file.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Only when the victim manually solves the CAPTCHA is a hidden JavaScript snippet granted execution rights. It triggers the XMLHttpRequest or Fetch API to call an external C2 server (e.g., onedrivedownload[.]zoholandingpage[.]com) to retrieve the final payload URL and force the browser to download the executable file. At this point, the browser still considers the download prompt safe because it originates from a session with real interaction with the original n8n webpage.<\/span><\/li>\n<\/ul>\n<h3 id=\"payload-mechanism-weaponizing-datto-rmm-amp-itarian\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Payload Mechanism: Weaponizing Datto RMM &amp; ITarian<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/8-1778520083.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24413\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/8-1778520083.png\" alt=\"8 1778520083\" width=\"1000\" height=\"635\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/8-1778520083.png 1000w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/8-1778520083-700x445.png 700w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">The attacker does not immediately deploy traditional trojans or ransomware. Instead, they exploit two legitimate Remote Monitoring and Management (RMM) solutions used by Managed Service Providers (MSPs) to hide within system processes, bypassing real-time detection techniques (Behavioral EDR\/XDR).<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Payload 1: Datto RMM (DownloadedOneDriveDocument.exe)<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Characteristics: This is a WinRAR Self-Extracting (SFX) archive disguised as a confidential document file.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Mechanism: When executed in memory, this SFX file automatically extracts the AEMAgent.exe file into the Windows temporary directory and runs silently (Silent Install). AEMAgent.exe is the core process of Datto RMM.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Persistence &amp; C2:<\/strong>\u00a0Sau khi c\u00e0i \u0111\u1eb7t, payload thi\u1ebft l\u1eadp c\u00e1c Scheduled Tasks c\u1ee7a Windows tr\u1ecf \u0111\u1ebfn th\u01b0 m\u1ee5c Datto nh\u1eb1m duy tr\u00ec quy\u1ec1n ph\u00e2n t\u00edch (persistence). \u0110\u1ed3ng th\u1eddi, n\u00f3 kh\u1edfi t\u1ea1o k\u1ebft n\u1ed1i TLS m\u00e3 h\u00f3a li\u00ean t\u1ee5c tr\u00ean c\u1ed5ng 443 \u0111\u1ebfn c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng \u0111\u00e1m m\u00e2y th\u1ef1c c\u1ee7a Datto (th\u01b0\u1eddng l\u00e0 wildcard\u00a0<code>*.<\/code><a href=\"http:\/\/centrastage.net\/\" target=\"_blank\" rel=\"noopener ugc nofollow\"><code>centrastage.net<\/code><\/a>), tuy nhi\u00ean l\u1ea1i li\u00ean k\u1ebft m\u00e3 \u0111\u1ecbnh danh (Node ID) thi\u1ebft b\u1ecb n\u1ea1n nh\u00e2n v\u1ec1 b\u1ea3ng \u0111i\u1ec1u khi\u1ec3n (Dashboard) do k\u1ebb t\u1ea5n c\u00f4ng ki\u1ec3m so\u00e1t. L\u00fac n\u00e0y, tin t\u1eb7c c\u00f3 m\u1ee9c \u0111\u1eb7c quy\u1ec1n cao nh\u1ea5t (SYSTEM level) tr\u00ean m\u00e1y t\u00ednh ng\u01b0\u1eddi d\u00f9ng h\u1ee3p ph\u00e1p.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Payload 2: ITarian Endpoint Management (OneDrive_Document_Reader_installer.msi)<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Characteristics: Using a more complex technique, the attacker wraps the .msi file with the well-known Armadillo packer. This use of a packer prevents antivirus programs from directly reading the file&#8217;s static digital signature (Signature-based AV Evasion).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Mechanism: The MSI interface is designed to convincingly mimic the &#8220;OneDrive Document Reader&#8221; installation wizard. When the victim clicks Install and the graphical progress bar appears, the malware silently activates the ITarian Endpoint Manager installer in the background.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Post-exploitation Behavior: This tool drops a series of .dll library files and Python scripts. By exploiting the Python modules included with ITarian, hackers can establish connections to their own C2, preparing for internal data exfiltration or using the workstation as a pivot to attack the core servers of the enterprise&#8217;s Active Directory.<\/span><\/li>\n<\/ul>\n<h2 id=\"expert-opinion\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Expert opinion<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">We consider this campaign a typical example of the trend &#8220;SaaS-to-SaaS Attacks.&#8221; The misuse of low-code\/no-code platforms and AI automation is not just a technical issue but also highlights vulnerabilities in corporate governance. Risks from Shadow Automation\/AI: In an effort to boost productivity, employees often independently register and use tools like n8n, Zapier, or Softr.io without IT department approval. &#8220;Shadow Automation&#8221; creates a security blind spot: these accounts often lack MFA, are not monitored, and have access to sensitive data through APIs. Attackers are aware of this and are beginning to target businesses with lax automation infrastructures.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">In Vietnam, where the wave of digital transformation and AI application is rapidly advancing, the absence of policies to control intermediary SaaS tools (Automation Governance) makes businesses attractive targets. Once attackers have embedded RMM tools like Datto or ITarian, they can remain undetected for extended periods, conduct lateral movement, and deploy ransomware at any time.<\/span><\/p>\n<h2 id=\"mitre-attampck-mapping\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>MITRE ATT&amp;CK Mapping<\/strong><\/span><\/h2>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Phase<\/strong><\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Technique<\/strong><\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>ID<\/strong><\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Initial Access<\/strong><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Phishing: Spearphishing Link<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">T1566.002<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Execution<\/strong><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">User Execution: Malicious File<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">T1204.002<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Defense Evasion<\/strong><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Trusted Relationship Abuse (SaaS)<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">T1199<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Command and Control<\/strong><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Remote Access Software<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">T1219<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Exfiltration<\/strong><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Exfiltration Over C2 Channel<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">T1041<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"iocs\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>IOCs<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>File Hashes (SHA-256)<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Network Indicators<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">hxxps[:\/\/]pagepoinnc[.]app[.]n8n[.]cloud\/webhook\/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">hxxps[:\/\/]monicasue[.]app[.]n8n[.]cloud\/webhook\/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">hxxps[:\/\/]onedrivedownload[.]zoholandingpage[.]com\/my-workspace\/DownloadedOneDrive<\/span><\/p>\n<h2 id=\"recommendations\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Recommendations<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Immediate (0-24h)<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Block network access from internal devices to all sub-domains *.app.n8n.cloud if the business does not use this service.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Review EDR logs to search for the presence of unfamiliar RMM tools (Datto, ITarian, AnyDesk, etc.) on user workstations outside of the IT department.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Short-term (1-7 days)<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Conduct security awareness training, emphasizing the identification of phishing emails containing links to intermediary websites (such as n8n, Softr, Zoho Landing Page).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Set up alerts on the Email Security solution for emails containing webhook links or unapproved Automation platforms.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Long-term<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Develop a SaaS &amp; Automation Governance policy: Require centralized approval for all automation tools or AI workflows.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Transition to a Zero Trust model, strictly controlling API access and not automatically trusting requests from well-known cloud infrastructures..<\/span><\/li>\n<\/ul>\n<h2 id=\"refer-to\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Refer to<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><a href=\"https:\/\/gbhackers.com\/hackers-exploit-n8n\/#google_vignette\" target=\"_blank\" rel=\"noopener ugc nofollow\">https:\/\/gbhackers.com\/hackers-exploit-n8n\/#google_vignette<\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><a href=\"https:\/\/www.techrepublic.com\/article\/news-hackers-abuse-n8n-workflows-malware-delivery\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">https:\/\/www.techrepublic.com\/article\/news-hackers-abuse-n8n-workflows-malware-delivery\/<\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><a href=\"https:\/\/thehackernews.com\/2026\/04\/n8n-webhooks-abused-since-october-2025.html\" target=\"_blank\" rel=\"noopener ugc nofollow\">https:\/\/thehackernews.com\/2026\/04\/n8n-webhooks-abused-since-october-2025.html<\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><a href=\"https:\/\/blog.talosintelligence.com\/the-n8n-n8mare\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">https:\/\/blog.talosintelligence.com\/the-n8n-n8mare\/<\/a><\/span><\/p>\n<table style=\"border-collapse: collapse;width: 90.8217%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\">\n<p data-start=\"0\" data-end=\"44\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Exclusive article by an expert from FPT<\/strong><\/span><\/p>\n<p data-start=\"46\" data-end=\"92\" data-is-last-node=\"\" data-is-only-node=\"\"><span style=\"font-family: arial, helvetica, sans-serif\"><em>Luu Tuan Anh \u2013 FPT Information Security Center<\/em><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"author":21,"featured_media":24405,"parent":0,"template":"","nang_luc":[],"danh_muc_goc_nhin_so":[],"dich_vu":[],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-24404","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/24404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/24405"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=24404"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=24404"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=24404"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=24404"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=24404"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=24404"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=24404"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=24404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}