https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-15 13:07:172026-04-15 13:07:17Mirax RAT Targeting Android Users in Europe
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-15 13:07:162026-04-15 13:07:16AI is getting better at your job, but you have time to adjust, according to MIT
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-15 13:07:162026-04-15 13:07:16Why your TV wowed you in the store but looks unnatural at home – and how to fix it ASAP
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-15 12:06:542026-04-15 12:06:54Two Vulnerabilities Patched in Ivanti Neurons for ITSM
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-15 12:06:532026-04-15 12:06:53Microsoft, Salesforce Patch AI Agent Data Leak Flaws
In Chile, cybersecurity compliance is becoming an operational issue, not just a legal one. Under the new Cybersecurity Framework Law, organizations must show they have real capabilities for threat detection, incident analysis, and response. For many teams, that exposes a serious gap between regulatory expectations and day-to-day security operations.
Key Takeaways
Chile’s Cybersecurity Framework Law raises the pressure on operational readiness: Security leaders need teams that can detect threats, investigate incidents, and support response decisions without delay.
Slow investigation can quickly become a business risk: Delayed response weakens evidence, increases regulatory pressure, and makes post-incident review harder to manage.
Faster triage and clearer evidence now matter more: Better visibility into suspicious activity helps reduce disruption, improve reporting quality, and support faster decisions under tight deadlines.
For business leaders, this is about continuity as much as compliance: Teams must be able to contain incidents, document actions, and maintain control during regulatory scrutiny.
ANY.RUN’s Enterprise solutions help reduce operational risk under compliance pressure: They support faster investigations, stronger evidence, and more controlled analysis workflows.
The Regulatory Shift
Chile has taken a decisive step toward strengthening its national cybersecurity posture with the approval of Law No. 21.663 – the Cybersecurity Framework Law. This legislation establishes mandatory cybersecurity obligations for organizations classified as:
Operators of Vital Importance (OIV)
Operators of Essential Services
Critical public sector entities
Unlike traditional compliance frameworks that focus on policies and documentation, Chile’s approach is outcome-driven and risk-based. Organizations must demonstrate real operational capabilities– not just checkbox compliance. With enforcement and audits ramping up through 2025-2026, the compliance window is closing fast.
The scope is broad. An estimated 915 organizations across energy, telecommunications, banking and financial services, digital infrastructure, healthcare, and public institutions must now prove their cybersecurity readiness.
What the New Law Requires from Security Teams
Chile’s Cybersecurity Framework Law does not mandate specific tools, but it does set clear expectations for operational readiness. Regulated organizations are expected to have the following:
Effective threat detection: Identify malicious activity before it causes damage Timely incident analysis and response: Understand what happened, how, and what to do Continuous risk management: Adapt defenses as the threat landscape evolves Evidence-based reporting: Provide detailed, defensible reports to Chile’s national CSIRT and regulatory authorities
Regulated entities must permanently apply technical and organizational measures to prevent, report, and resolve cybersecurity incidents in line with ANCI protocols and sector-specific standards. They must also report significant cyberattacks and incidents to the national CSIRT under a defined timeline.
For operators of vital importance, requirements are stricter. They must run a continuous information security management system, document security actions, and maintain certified cybersecurity and continuity plans, reviewed at least every two years.
They are also expected to conduct regular exercises, implement rapid containment measures, train staff, and appoint an independent cybersecurity delegate with direct access to top management and formal responsibility for coordination with ANCI.
Build a compliant and mature SOC Integrate ANY.RUN’s solutions to reduce business risk and boost security
The reporting timelines are especially important for CISOs, SOC leaders, and MSSPs serving regulated clients. The law requires an early warning within three hours after learning of a significant incident, an updated report within 72 hours, and a final report within 15 days.
If the affected entity is an OIV and the incident disrupts its essential service, the second report deadline tightens to 24 hours. OIVs must also communicate a formal action plan within seven days.
The key shift is simple: the law focuses less on documented intent and more on proven capability. It is not enough to say controls are in place. Organizations need to show they can investigate suspicious activity, confirm whether a threat is real, and support response decisions with evidence.
That changes the standard for security teams. Alerts alone are not enough. Teams need visibility, faster analysis, and a reliable investigation trail they can stand behind during reporting, audits, and post-incident review.
What Non-Compliance Can Cost
The legal exposure is serious. Minor infringements can be fined up to 5,000 UTM, serious infringements up to 10,000 UTM, and very serious infringements up to 20,000 UTM. For operators of vital importance, those maximums double to 10,000, 20,000, and 40,000 UTM respectively.
For leadership, the business risk goes beyond the fine itself. When teams cannot investigate suspicious activity quickly, explain what happened, or produce defensible incident evidence, the result can be longer disruption, slower communication with authorities, and more exposure during audits. That is why this law should not be treated as only a legal issue. It is also a detection, response, and operational-readiness issue.
The Compliance Challenge: Why This Is Hard
For SOCs and incident response teams across Chile, the new requirements create significant operational pressure:
Challenges for security teams in Chile
1. Alert Overload, Limited Analysis Capacity
Chilean organizations are facing the same challenge plaguing SOCs globally: too many alerts, not enough time to investigate them properly. SOC teams are drowning in noise from SIEM and EDR platforms, struggling to separate real threats from false positives.
2. Talent Shortage
The cybersecurity skills gap is acute in Latin America. According to industry data, LATAM experiences approximately 2,716 cyberattacks per organization per week,significantly above the global average. Yet there aren’t enough trained analysts to keep pace with investigation demands.
3. Malware Analysis Bottlenecks
Many sandbox solutions provide a verdict, but limited visibility into how the threat behaves or why it matters. When regulators ask for detailed incident reports, security teams need more than a malicious or benign label. They need evidence, context, and a clearer view of the attack chain.
4. Rising Threat Sophistication
Attackers targeting Latin America, particularly Chile’s banking and financial sectors, are deploying region-specific malware families like Mekotio, Grandoreiro, and Casbaneiro. These threats use novel evasion techniques specifically designed to bypass legacy detection systems.
Close the Security Gap with Better Threat Visibility, Analysis, and Response
Under Chile’s new framework, security gaps are no longer just technical weaknesses. They can become compliance failures, reporting delays, and broader business risks. ANY.RUN helps organizations close those gaps with stronger threat visibility, faster analysis, and more defensible response workflows.
1. Threat Intelligence for Better Visibility and Prioritization
One of the hardest parts of compliance is knowing which threats deserve immediate attention. Security teams already deal with large volumes of alerts, but the new law raises the need for monitoring that is not only active, but relevant to actual business risk.
ANY.RUN’s Threat Intelligence Lookup helps teams focus on threats that matter most to their environment. Rather than treating threat intelligence as just another dataset, it works as an operational layer that connects threat context with prioritization and action across the SOC lifecycle. Instead of relying only on generic indicators, organizations can investigate threats through industry- and geo-specific context.
For example, a query such as submissionCountry:”CL” AND industry:”banking” can help teams understand what is actively targeting Chile’s financial sector. This gives analysts faster context for triage, supports continuous risk management, and helps organizations build monitoring around real threats rather than assumptions.
Threat activity targeting Chile’s financial sector, visible inside TI Lookup
With this approach, organizations can:
Focus security efforts on the threats most relevant to their sector
Improve prioritization across monitoring and triage workflows
Reduce investigation delays caused by low-context alerts
Strengthen continuous risk management with more relevant threat visibility
Build a stronger foundation for defensible response and reporting
Strengthen cyber readiness where business risk is highest Improve prioritization and decisions with clearer threat context
2. Behavioral Analysis for Faster Investigation and Clearer Evidence
Threat visibility is only the first step. Once a suspicious file, URL, or email is detected, teams still need to understand what it actually does, how serious it is, and what actions should follow.
ANY.RUN’s Interactive Sandbox helps security teams investigate threats through real behavioral analysis. Instead of receiving only a verdict, analysts can observe malicious activity as it unfolds, understand the attack chain, extract indicators, and see the broader context of the incident. This makes it easier to validate threats faster, support containment decisions, and produce clearer evidence for reporting, audits, and post-incident review.
Threat analysis carried out inside ANY.RUN sandbox
In practice, this allows organizations to:
Understand how a threat behaves, not just whether it is malicious
Confirm impact faster and make response decisions with more confidence
Extract IOCs and other evidence for reporting and follow-up investigation
Support containment with clearer visibility into attacker activity
Build a more defensible investigation trail for audits and incident review
Turn uncertain alerts into faster, defensible decisions Give teams clearer evidence for response and reporting
3. Integrations and Threat Feeds for Faster Detection and Response
Meeting regulatory expectations also depends on how quickly security teams can move from detection to action. When threat data stays locked in separate tools or requires manual handling, triage slows down, response becomes less consistent, and reporting gets harder under tight deadlines.
ANY.RUN helps reduce that friction by connecting threat intelligence and sandbox analysis directly to existing security workflows through ready-made connectors, STIX/TAXII, and API/SDK options. This allows teams to move investigation data into SIEM, SOAR, EDR, and TIP environments faster, so enrichment, correlation, and response can happen with less manual effort.
Integration opportunities for ANY.RUN Threat Intelligence
Threat Intelligence Feeds continuously deliver high-confidence malicious indicators sourced from live attack investigations across 15,000 organizations and 600,000 analysts, helping teams work with fresh threat data instead of static lists.
Strengthen detection with live threat data from real attacks Help your team correlate faster and respond with less effort
Push fresh threat data directly into existing detection and response tools
Reduce manual workload in enrichment and triage workflows
Improve alert quality with validated, high-confidence indicators
Speed up correlation and response across the SOC stack
Build a more scalable and operationally consistent security model
Support Compliance Readiness with Privacy, Control, and Audit Confidence
Security teams also need confidence that sensitive analyses can be handled in a controlled environment that supports internal governance, confidentiality, and audit readiness. That is especially important for organizations working under stricter reporting obligations and higher regulatory scrutiny.
ANY.RUN’s private sandbox sessions remain confidential through strict access controls and encrypted data processing, helping organizations investigate threats without exposing case data to the public community. For leadership, this matters because improving detection and response is not enough on its own. The investigation environment also needs to meet enterprise expectations for security, privacy, and operational reliability.
This becomes especially valuable when incidents involve sensitive internal files, regulated environments, or investigations that may later be reviewed by auditors, executives, or external authorities. With stronger privacy controls around analysis data, organizations can reduce the risk of accidental exposure while giving security teams a safer way to investigate suspicious activity and preserve a defensible trail of evidence.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.
It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.
Frequently Asked Questions
What changes for security leaders under Chile’s Cybersecurity Framework Law?
The law raises the standard from having policies on paper to proving operational readiness in practice. It sets minimum requirements for preventing, containing, resolving, and responding to cyber incidents, creates ANCI as the national authority, and gives regulators a clearer basis for oversight and sanctions. In practice, that means leadership teams need confidence that detection, investigation, reporting, and continuity measures will hold up under pressure.
Which organizations are most exposed to these requirements?
The law applies to providers of essential services and to entities designated as Operators of Vital Importance, or OIVs. The covered sectors include areas such as energy, water, telecom, digital infrastructure, transport, banking and payments, postal services, and healthcare, while ANCI has the power to formally qualify OIVs.
What will regulators expect an organization to be able to show?
At a minimum, regulated entities must permanently apply measures to prevent, report, and resolve incidents. For OIVs, the bar is higher: they must run a continuous information security management system, maintain records of security actions, implement and review continuity and cybersecurity plans, carry out ongoing reviews and exercises, train staff, and appoint a cybersecurity delegate who reports upward.
Why does response speed matter so much under this law?
Because the reporting clock starts quickly. The law requires an early alert within 3 hours of learning about a significant incident, an update within 72 hours, and a final report within 15 days. If an OIV’s essential service is affected, the update deadline tightens to 24 hours, and OIVs must also adopt an action plan within 7 days. For leadership, this makes delayed investigation a business risk, not just a technical issue.
Does the law require specific tools?
No. It does not prescribe named products. What it does require is that organizations can prevent, report, and resolve incidents, follow ANCI protocols and standards, and support continuity and incident handling with real operational capability. That is why the focus for leadership should be less on tool count and more on whether teams can investigate, decide, and report fast enough when it matters.
Why does investigation quality matter for compliance?
Because the law is built around response, reporting, and oversight. ANCI can require information needed to understand incidents, supervise compliance, and enforce sanctions, while the law also emphasizes continuity, risk management, and documented actions. For leadership teams, that makes clear evidence and a defensible investigation trail part of compliance readiness.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-15 11:07:102026-04-15 11:07:10Trump Urges Extending Foreign Surveillance Program as Some Lawmakers Push for US Privacy Protections
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-15 11:07:092026-04-15 11:07:09$10 Domain Could Have Handed Hackers 25k Endpoints, Including in OT and Gov Networks
If your office works remotely in any way, you’ll need reliable internal communication tools to keep information flowing smoothly and everyone on the same page.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-15 11:07:092026-04-15 11:07:09The best internal communication tools of 2026: Expert tested and reviewed
Cisco Talos research has uncovered agentic AI workflow automation platform abuse in emails. Recently, we identified an increase in the number of emails that abuse n8n, one of these platforms, from as early as October 2025 through March 2026.
In this blog, Talos provides concrete examples of how threat actors are weaponizing legitimate automation platforms to facilitate sophisticated phishing campaigns, ranging from delivering malware to fingerprinting devices.
By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery vehicles for persistent remote access.
AI workflow automation platforms such as Zapier and n8n are primarily used to connect different software applications (e.g., Slack, Google Sheets, or Gmail) with AI models (e.g., OpenAI’s GPT-4 or Anthropic’s Claude). These platforms have been applied to different application domains, including cybersecurity over the past few months, especially with the progress that has been made in new avenues like large language models (LLMs) and agentic AI systems. However, much like other legitimate tools, AI workflow automation platforms can be weaponized to orchestrate malicious activities, like delivering malware by sending automated emails.
This blog describes how n8n, one of the most popular AI workflow automation platforms, has been abused to deliver malware and fingerprint devices by sending automated emails.
What is n8n?
N8n is a workflow automation platform that connects web applications and services (including Slack, GitHub, Google Sheets, and others with HTTP-based APIs) and builds automated workflows. A community-licensed version of the platform can be self-hosted by organizations. The commercial service, hosted at n8n.io, includes AI-driven features that can create agents capable of using web-based APIs to pull data from documents and other data sources.
Users can register for an n8n developer account at no initial charge. Doing so creates a subdomain on “tti.app.n8n[.]cloud” from which the user’s applications can be accessed. This is similar to many web-based AI-aided development tools, and one that malicious actors have harnessed elsewhere in the past; earlier this year, Talos observed another AI-oriented web application service, Softr.io, being used for the creation of phishing pages used in a series of targeted attacks.
How n8n’s webhooks work
Talos’ investigation found that a primary point of abuse in n8n’s AI workflow automation platform is its URL-exposed webhooks. A webhook, often referred to as a “reverse API,” allows one application to provide real-time information to another. These URLs register an application as a “listener” to receive data, which can include programmatically pulled HTML content. An example of an n8n webhook URL is shown in Figure 1.
Figure 1. Anatomy of an example n8n webhook URL.
When the URL receives a request, the subsequent workflow steps are triggered, returning results as an HTTP data stream to the requesting application. If the URL is accessed via email, the recipient’s browser acts as the receiving application, processing the output as a webpage.
Talos has observed a significant rise in emails containing n8n webhook URLs over the past year. For example, the volume of these emails in March 2026 was approximately 686% higher than in January 2025. This increase is driven, in part, by several instances of platform abuse, including malware delivery and device fingerprinting, as we will discuss in the next sections.
Figure 2. The prevalence of n8n webhook URLs in emails over the past few months.
Abusing n8n for malware delivery
Because webhooks mask the source of the data they deliver, they can be used to serve payloads from untrusted sources while making them appear to originate from a trusted domain. Furthermore, since webhooks can dynamically serve different data streams based on triggering events — such as request header information — a phishing operator can tailor payloads based on the user-agent header.
Figure 3. Example of a malicious email that delivers malware to the victim’s device by abusing the n8n platform.
Talos observed a phishing campaign (shown in Figure 3) that used an n8n-hosted webhook link in emails that purported to be a shared Microsoft OneDrive folder. When clicked, the link opened a webpage in the targeted user’s browser containing a CAPTCHA.
Figure 4. HTML document delivered by the webhook presenting a CAPTCHA.
Once the CAPTCHA is completed, a download button appears, triggering a progress bar as the payload is downloaded from an external host. Because the entire process is encapsulated within the JavaScript of the HTML document, the download appears to the browser to have come from the n8n domain.
Figure 5. HTML and JavaScript payload of the webhook downloads an executable file from a malicious URL.
In this case, the payload was an .exe file named “DownloadedOneDriveDocument.exe” that posed as a self-extracting archive. When opened, it installed a modified version of the Datto Remote Monitoring and Management (RMM) tool and executed a chain of PowerShell commands.
Figure 6. Downloaded executable and the document it deploys (an installer for an RMM tool).
The PowerShell commands generated by the malicious executable extract and configure the Datto RMM tool, configure it as a scheduled task, and then launch it, establishing a connection to a relay on Datto’s “centrastage[.]net” domain before deleting themselves and the rest of the payload.
Figure 7. The webhook-delivered “DownloadedOneDriveDocument.exe” malware attack chain.
Talos observed a similar campaign that also utilized an n8n webhook to deliver a different payload. Like the previous instance, it featured a self-contained phishing page delivered as a data stream from the webhook, protected with a CAPTCHA for human verification.
Figure 8. Second CAPTCHA variant presented by n8n webhook.
This CAPTCHA code was significantly simpler than the first case. The payload delivered upon solving the CAPTCHA was a maliciously modified Microsoft Windows Installer (MSI) file named “OneDrive_Document_Reader_pHFNwtka_installer.msi”. Protected by the Armadillo anti-analysis packer, the payload deployed a different backdoor: the ITarian Endpoint Management RMM tool. When executed by “msiexec.exe”, the file installs a modified version of the ITarian Endpoint RMM, which acts as a backdoor while running Python modules to exfiltrate information from the target’s system. During this process, a fake installer GUI displays a progress bar; once finished, the bar resets to 0% and the application exits, creating the illusion of a failed installation.
Abusing n8n for fingerprinting
Talos observed another common abuse case: device fingerprinting. This is achieved by embedding an invisible image (or tracking pixel) within an email. For example, when the <img> HTML tag is used, it tells the email client (e.g., Outlook or Gmail) to fetch an image from a specific URL. Figure 9 shows an example spam email in the Spanish language that leverages this technique.
Figure 9. Email example where n8n is abused to fingerprint the recipient’s device.
When the email client attempts to load the image, it automatically sends an HTTP GET request to the specified address, which is an n8n webhook URL. These URLs include tracking parameters (such as the victim’s email address), allowing the server to identify exactly which user opened the email. Also, it is clear how this image is made invisible by using the “display” and “opacity” CSS properties.
Figure 10. HTML source snippet of the email in Figure 9.
The second example below uses the same technique to track email opens and fingerprint the recipient’s device. Here, the sender tries to get a hold of recipient by introducing a new gift card feature.
Figure 11. Email example where n8n is abused to fingerprint the recipient’s device.Figure 12. HTML source snippet of email in Figure 11.
Conclusion
The same workflows designed to save developers hours of manual labor are now being repurposed to automate the delivery of malware and fingerprinting devices due to their flexibility, ease of integration, and seamless automation. As we continue to leverage the power of low-code automation, it’s the responsibility of security teams to ensure these platforms and tools remain assets rather than liabilities.
Protection
Because several AI automation platforms exist today that are inherently designed to be flexible and trustworthy, the security community must move beyond simple static analysis to effectively counter their abuse. For instance, instead of blocking entire domains, which would disrupt legitimate business workflows, security researchers should investigate behavioral detection approaches. These should trigger alerts when high volumes of traffic are directed toward such platforms from unexpected internal sources. Similarly, if an endpoint attempts to communicate with an AI automation platform’s domain (e.g., “n8n.cloud”) that is not part of the organization’s authorized workflow, it should trigger an immediate alert.
Collaborative intelligence sharing is another effective approach to countering malicious email campaigns. Security teams should prioritize sharing indicators of compromise (IOCs) — such as specific webhook URL structures, malicious file hashes, and command and control (C2) domains — with platforms like Cisco Talos Intelligence.
Last but not least, safeguarding against these complex threats necessitates a comprehensive email security solution that utilizes AI-driven detection. Secure Email Threat Defense employs distinctive deep learning and machine learning models, incorporating Natural Language Processing, within its sophisticated threat detection systems. It detects harmful techniques employed in attacks against your organization, extracts unmatched context for particular business risks, offers searchable threat data, and classifies threats to identify which sectors of your organization are most at risk of attack. You can register now for a free trial of Email Threat Defense.
IOCs
IOCs for this threat also available on our GitHub repository here.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-15 11:06:362026-04-15 11:06:36The n8n n8mare: How threat actors are misusing AI workflow automation