ANY.RUN has observed a sustained surge in a credential-phishing campaign active since 2024. This campaign, dubbed BlobPhish, introduces a sneaky twist: instead of delivering phishing pages via traditional HTTP requests, it generates them directly inside the victim’s browser using blob objects. The result is a phishing payload that lives entirely in memory, leaving little to no trace in logs, caches, or network telemetry. 

The campaign targets credentials across multiple platforms, including Microsoft 365, banking services, and webmail portals, making it both widespread and high-impact. 

Key Takeaways 

• Memory-resident evasion: BlobPhish loads entire phishing pages as in-browser blob objects, bypassing file-based and network-based detection entirely. 

• Broad targeting: The campaign hits Microsoft 365 alongside major U.S. banks (Chase, Capital One, FDIC, E*TRADE, Schwab) and webmail services. 

• Persistent and active: First observed in October 2024, the operation continues uninterrupted as of April 2026 with a major spike in February 2026. 

• Compromised infrastructure: Attackers routinely abuse legitimate WordPress sites and reuse exfiltration endpoints (res.php, tele.php, panel.php). 

• High-value credential theft: Stolen accounts enable BEC, data exfiltration, and lateral movement — threats that carry multimillion-dollar consequences. 

• Global but finance-focused: One-third of victims are in the U.S.; phishing pages almost exclusively mimic premium financial and Microsoft services regardless of victim industry. 

• ANY.RUN delivers proactive defense: Sandbox instantly reveals blob behavior in real browsers, while TI Lookup and TI Feeds provide real-time IOCs and YARA rules for automated blocking and hunting, turning reactive security into prevention. 

How BlobPhish works 

The attack is based on the abuse of browser Blob objects to serve fake authentication forms. A JavaScript loader, fetched from an attacker-controlled page, constructs a Blob from a Base64-encoded payload and loads it directly into browser memory — never touching disk and never generating the traditional HTTP requests that security tools rely on to detect phishing. 

Targeted services include: Microsoft 365, OneDrive, SharePoint, Chase, FDIC, Capital One, E*Trade, American Express, Charles Schwab, Merrill Lynch, PayPal, Intuit, and others. 

Technical Deep Dive 

Because the phishing page exists only in memory and is referenced by the scheme blob:https://, it cannot be blocked by URL reputation engines, does not appear in proxy logs as a suspicious request, and leaves no cache artefact. This makes BlobPhish significantly harder to detect and investigate than conventional phishing. 

View the observed analysis session in ANY.RUN sandbox 

1. Delivery Vector 

The typical initial access point is a phishing email or a link to a trusted-looking service such as DocSend. Example phishing link: hxxps[://]docsend[.]com/view/vsrrknxprh2xt84n 
 
Upon clicking, the victim is redirected to an HTML page that contains the loader script. Example loader URL: hxxps[://]mtl-logistics[.]com/blb/blob[.]html 

2. Loader Script — Step by Step 

The loader uses jQuery to perform the following sequence invisibly to the user: 

• var a = $(“<a style=’display: none;’/>”) 
  Creates an invisible HTML anchor element; 

• var decodedStringAtoB = atob(encodedStringAtoB) 
  Decodes the Base64 payload; 

• const myBlob = new Blob([decodedStringAtoB], { type: ‘text/html’ });  →  Constructs the Blob object; 

• const url = window.URL.createObjectURL(myBlob) 
  Generates the blob: URL; 

• a.attr(“href”, url) 
  Attaches the URL to the hidden anchor; 

• $(“body”).append(a) 
  Injects the anchor into the DOM; 

• a[0].click() 
  Triggers navigation to the phishing page; 

• window.URL.revokeObjectURL(url); + a.remove() 
  Destroys evidence from memory and DOM. 

3. The Phishing Page 

The victim sees a convincing Microsoft 365 (or other financial service) login page. The browser address bar shows the scheme blob:https://, which can appear legitimate to an untrained eye.  

The page contains: 

• A spoofed credential-capture form:  

• Specific set of selectors for the used HTML elements:

• Exfiltration logic that POSTs captured credentials to an attacker-controlled endpoint:

• A failed-login counter to force repeated credential entry (increasing harvest accuracy), a final redirect to the legitimate service website to avoid suspicion: 

• Data is sent via a POST request as form-data: 

Observed exfiltration endpoint pattern: 

hxxps[://]mtl-logistics[.]com/css/sharethepoint/point/res[.]php 

4. YARA Detection Rule

The following YARA rule matches the loader HTML page and can be used in ANY.RUN Threat Intelligence Lookup to hunt for BlobPhish infrastructure: 

rule BlobPhishLoaderHTML 

{ 

    meta: 

        author = "ANY.RUN" 

        description = "Matches HTML pages with JS-script which creates and loads 

                       phishing page as blob-object" 

    strings: 

        $s1 = "function saveFile(" ascii 

        $s2 = "var a = $("<a style='display: none;'/>");" fullword ascii 

        $s3 = "var encodedStringAtoB" fullword ascii 

        $s4 = "var decodedStringAtoB = atob(encodedStringAtoB);" fullword ascii 

        $s5 = "window.URL.createObjectURL(myBlob);" fullword ascii 

        $s6 = "window.URL.revokeObjectURL(url);" fullword ascii 

    condition: 

        all of them 

} 

5. Exfiltration Infrastructure by Target 

Pivoting on url:”/res.php$” and via the YARA rule above, ANY.RUN researchers identified multiple targets and corresponding exfiltration URLs.  

1. Capital One 

View sandbox analysis 

Exfiltration URL: hxxps[://]wajah4dslot[.]com/wp-includes/certificates/tmp//res[.]php 

2. Chase Banking

View sandbox analysis 

Exfiltration URL: hxxps[://]hnint[.]net/cgi-bin/peacemind//res[.]php 

3. Morgan Stanley E*Trade

View sandbox analysis 

Exfiltration URL: hxxps[://]ftpbd[.]net/wp-content/plugins/cgi-/trade/trade//res[.]php

Variants with exfiltration to url:”*/tele.php” with a roughly similar request structure were also observed view a sandbox analysis with exfiltration URL hxxps[://]_wildcard_[.]gonzalezlawnandlandscaping[.]com/zovakmf/exfuzaj/pcnlwyf/cgi-ent/tele[.]php.

Importantly, in some cases calls to the service endpoint /panel.php have been observed. In response to a POST request, an error and its description (e.g., “IP not found”) are returned. 
 
Example POST URL: hxxps[://]hnint[.]net/cgi-bin/peacemind//panel[.]php 

6. HTTP Detection Patterns 

The following HTTP traffic signatures reliably identify BlobPhish activity in proxy and SIEM logs: 

• POST */res.php  — credentials in body (MIME: form-data or x-www-form-urlencoded); 

• POST */tele.php  — credentials in body (MIME: form-data or x-www-form-urlencoded); 

• POST */panel.php  — empty body; response: JSON with error & description (e.g., “IP not found”). 

7. Delivery Methods 

The following initial-access vectors have been observed: 

• Phishing emails with financial lures (suspicious transaction, personal loan/operation confirmation, invoice & document signature, disputed payment); 

• PDF attachments containing a QR code that leads to a malicious JS page and subsequently the blob:http scheme and */res.php exfiltration pattern (observed in an energy-sector campaign); 

• Shortened links (e.g., via t.co) redirecting through JS to the blob:http payload; 

• Links to legitimate-looking document-sharing services such as DocSend. 

Threat Landscape 

First spotted in October 2024, BlobPhis has proved itself as a sustained, continuously evolving campaign that remains active at the time of publication. 

Analysis of related artefacts shows that the threat actors regularly rotate infrastructure, exfiltration endpoints, loader hosting domains, and phishing lure themes. They also vary the path names of the loader pages (blob.html, blom.html, bloji.html, emailandpasssss.html) and exfiltration scripts (res.php, tele.php), complicating static signature-based detection. 

Targeted Industries 

Although the phishing lures predominantly impersonate financial and cloud services, the victim organizations span multiple sectors: 

• Finance, 

• Manufacturing, 

• Education, 

• Government, 

• Transport, 

• Telecommunications.  

Regardless of the victim’s industry, attackers focus on harvesting credentials for high-value financial and cloud corporate services — increasing the probability of capturing credentials that unlock significant monetary or data assets. 

Financial institutions and cloud-productivity platforms most frequently spoofed: 

• Capital One, 

• American Express, 

• JPMorgan Chase, 

• Intuit, 

• Charles Schwab, 

• Morgan Stanley’s E*TRADE, 

• Merrill Lynch, 

• PayPal, 

• Microsoft 365 / OneDrive / SharePoint (used as a document-access lure).  

Geography 

Approximately one-third of observed activity involves US-based users and organisations. BlobPhish  activity has been observed from: Germany, Poland, Spain, Switzerland, United Kingdom, Australia, South Korea, Saudi Arabia, Qatar, Jordan, India, and Pakistan. 

Business Impact: Why BlobPhish Is a Board-Level Risk 

BlobPhish does not just steal one employee’s password. By targeting the financial, cloud, and productivity accounts that employees use every day, a single successful compromise can cascade into: 

• Unauthorized wire transfers or fraudulent invoices (Business Email Compromise follow-on); 

• Full Microsoft 365 tenant takeover — email, SharePoint, Teams, and connected SaaS apps; 

• Regulatory exposure (GDPR, SEC, FFIEC, PCI-DSS) from confirmed data exfiltration; 

• Reputational damage when customer or partner data is compromised; 

• Operational disruption if attacker pivots to ransomware after credential harvest. 

Security and risk teams should model the following impact chains when a BlobPhish credential is compromised: 

• Microsoft 365 credential → MFA fatigue or session token theft → full mailbox access → BEC fraud or data exfiltration to partners/clients; 

• Banking credential (Chase, CapitalOne) → account takeover → wire fraud or ACH manipulation; 

• Investment platform credential (Schwab, E*TRADE, Merrill) → unauthorized trades or fund transfer; 

• Any cloud credential → lateral movement to connected SaaS → ransomware deployment. 

Regulatory consequences may include mandatory breach notification under GDPR (72-hour window), SEC cybersecurity incident disclosure requirements, and FFIEC guidance on authentication for financial institutions. 

How ANY.RUN Helps You Stay Ahead 

ANY.RUN provides the complementary capabilities that address BlobPhish at every stage of the threat lifecycle: from proactive hunting to real-time detection and automated feed enrichment. 

1. Analyze Alerts & Artifacts to Prevent Attack 

When a suspicious link or email is forwarded to the security team, ANY.RUN’s fully interactive cloud sandbox executes the entire BlobPhish kill chain in a safe cloud environment: 

• The JavaScript loader runs, the Base64 payload is decoded, and the blob: URL is created, exactly as it would on a victim’s machine. 

• Analysts watch the live session and see the fake login page render, observe the POST to */res.php, and capture all network artefacts. 

• Because execution happens in a real browser, there are no emulation gaps that the attacker’s anti-sandbox checks could exploit. 

• Full analysis reports — including screenshots, network traffic, memory artefacts, and extracted IOCs — are generated in minutes. 

This means your SOC can definitively confirm or dismiss a BlobPhish suspicion within minutes rather than hours, without risking any internal system. 

2. Stop Future Attacks by Enriching Proactive Defense 

Threat Intelligence Lookup gives threat hunters direct, query-based access to the ANY.RUN database of analyzed samples and infrastructure: 

• Run YARA-based searches to find all samples matching the BlobPhishLoaderHTML rule. 

• Pivot on URL patterns (url:”/res.php$”, url:”*/blob.html$”) to discover new attacker infrastructure the moment it appears in the wild. 

url:”*/res.php$” AND url:”*/blob.html$” and threatName:”phishing” 

• Correlate domains, IPs, file hashes, and HTTP patterns across millions of analyzed tasks. 

• Export results directly into SIEM, SOAR, or ticketing workflows. 

Security teams can monitor this campaign continuously rather than reacting after a compromise. New loader domains and exfiltration endpoints are surfaced as soon as ANY.RUN community members (and automated systems) submit related tasks. 

3. Automate Monitoring with Live Intelligence 

Threat Intelligence Feeds deliver structured, machine-readable threat intelligence in STIX/TAXII or flat-file formats, enabling automated enforcement across your security stack: 

• BlobPhish-related domains, IPs, and URL patterns are automatically pushed to firewalls, proxies, and SIEM correlation rules. 

• Indicators are enriched with context (campaign name, targeted brand, exfiltration pattern, confidence level) so that alerts are actionable, not just noisy. 

• Feeds are updated in near-real-time as the campaign evolves, meaning your defenses track the attacker’s infrastructure rotation without manual analyst effort. 

• Integration is supported with leading SIEM/SOAR platforms (Splunk, Microsoft Sentinel, Palo Alto XSOAR, and others) via standard connectors. 

Rather than relying solely on reactive detection, TI Feeds shift your posture to proactive blocking: exfiltration endpoints are denied before a single employee credential can be harvested. 

Indicators of Compromise (IOCs) 

URLs 

• hxxps[://]mtl-logistics[.]com/blb/blob[.]html 

• hxxps[://]mtl-logistics[.]com/css/sharethepoint/point/res[.]php 

• hxxps[://]larva888[.]com/wp-includes/css/dist/tmp/vmo[.]html 

• hxxps[://]wajah4dslot[.]com/wp-includes/certificates/tmp//res[.]php 

• hxxps[://]wajah4dslot[.]com/wp-includes/certificates/tmp//panel[.]php 

• hxxps[://]mail[.]hubnorte[.]com[.]br/blom[.]html 

• hxxps[://]riobeautybrazil[.]com/wp-admin/amx/res[.]php 

• hxxps[://]riobeautybrazil[.]com/wp-admin/amx/panel[.]php 

• hxxps[://]hnint[.]net/bloji[.]html 

• hxxps[://]hnint[.]net/cgi-bin/peacemind//res[.]php 

• hxxps[://]hnint[.]net/cgi-bin/peacemind//panel[.]php 

• hxxps[://]ftpbd[.]net/wp-content/plugins/cgi-/trade/blob[.]html 

• hxxps[://]ftpbd[.]net/wp-content/plugins/cgi-/trade/trade//res[.]php 

• hxxps[://]ftpbd[.]net/wp-content/plugins/cgi-/trade/trade//panel[.]php 

• hxxps[://]i-seotools[.]com/wp-content/citttboy[.]html 

• hxxps[://]mts-egy[.]net/wp-content/plugins/owpsyzj/cgi-ent/res[.]php 

• hxxps[://]mts-egy[.]net/wp-content/plugins/owpsyzj/cgi-ent/panel[.]php 

• hxxps[://]localmarketsense[.]com/wp-includes/Text/sxzmqkp/krtxbvo/sahz1xi/cgi-ent/emailandpasssss[.]html 

• hxxps[://]_wildcard_[.]gonzalezlawnandlandscaping[.]com/zovakmf/exfuzaj/pcnlwyf/cgi-ent/tele[.]php 

Domains 

• mtl-logistics[.]com 

• larva888[.]com 

• wajah4dslot[.]com 

• mail[.]hubnorte[.]com[.]br 

• riobeautybrazil[.]com 

• hnint[.]net 

• ftpbd[.]net 

• i-seotools[.]com 

• mts-egy[.]net 

Conclusion 

BlobPhish represents a mature, well-maintained phishing operation that has been running continuously for over eighteen months. Its core innovation — abusing the browser’s Blob URL API to serve phishing pages entirely in memory — renders the campaign invisible to a wide range of conventional controls including secure email gateways, URL filters, web proxies, and file-based endpoint solutions. 

For security teams, the takeaway is clear: static and perimeter-based defenses are insufficient against this class of attack. Effective defense requires dynamic analysis (to execute and observe the full attack chain), proactive threat hunting (to discover attacker infrastructure before it is weaponized against your organization), and automated, continuously updated threat intelligence feeds that propagate IOCs across the entire security stack in near-real-time. 

About ANY.RUN   

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.   

It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.   

ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls. 

FAQ

The post BlobPhish: The Phantom Phishing Campaign Hiding in Browser Memory appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

In 2023, Tim Utzig, a blind student from Baltimore, lost a thousand dollars to a laptop scam on X. Tim had been a long-time follower of a well-known sports journalist. When that journalist’s account started posting about a “charity sale” of brand-new MacBook Pros, Tim jumped at the chance to get a deal on a laptop he needed for his studies. After a few quick messages, he sent over the money.

Unfortunately, the journalist’s account had been hacked, and Tim’s cash went straight to scammers. The red flags were strictly visual: the page had been flagged as “temporarily restricted”, and both the bio and the Following list had changed. However, Tim’s screen reader — the software that converts on-screen text and graphics into speech — didn’t announce any of those warnings.

Screen readers allow blind users to navigate the digital world like everyone else. However, this community remains uniquely vulnerable. Even for sighted users, spotting a fake website is a challenge; for someone with a visual impairment, it’s an even steeper uphill battle.

Beyond screen readers, there are specialized mobile apps and services designed to assist the blind and low-vision community, with Be My Eyes being one of the most popular. The app connects users with sighted volunteers via a live video call to tackle everyday tasks — like setting an oven dial or locating an object on a desk. Be My Eyes also features integrated AI that can scan and narrate text or identify objects in the user’s environment.

But can these tools go beyond daily chores? Can they actually flag a phishing attempt or catch the hidden fine print when someone is opening a bank account?

Today we explore the specific online hurdles visually impaired users face, when it makes sense to lean on human or virtual assistants, and how to stay secure when using these types of services.

Common cyberthreats facing the blind and low-vision community

To start, let’s clarify the difference between these two groups. Low-vision users still rely on their remaining sight, even though their visual function is significantly reduced. To navigate digital interfaces, they often use screen magnifiers, extra-large fonts, and high-contrast settings. For them, phishing sites and emails are particularly dangerous. It’s easy to miss intentional typos — known as typosquatting — in a domain name or email address, such as the recent example of rnicrosoft{.}com.

Blind users navigate primarily by sound, using screen readers and specific touch gestures. Interestingly, though, unlike those with low vision, blind users are more likely to spot a phishing site using a screen reader: as the software reads the URL aloud, the user will hear that something is off. However, if a service — whether legitimate or malicious — isn’t fully compatible with screen readers, the risk of falling victim to a scam increases. This is exactly what happened to Tim Utzig.

It’s important to remember that screen magnifiers and readers are basic accessibility tools. They’re designed to enlarge or narrate an interface — not act as a security suite. They can’t warn the user of a threat on their own. That’s where more advanced software — tools that can analyze images and files, flag suspicious language, and describe the broader context of what’s happening on-screen — comes into play.

When to lean on an assistant

Be My Eyes is a major player in the accessibility space, boasting around 900 000 users and over nine million volunteers. Available on Windows, Android, and iOS, it bridges the gap by connecting blind and low-vision users with sighted volunteers via video calls for help with everyday tasks. For example, if someone wants to run a Synthetics cycle on their washing machine but can’t find the right button, they can hop into the app. It connects them with the first available volunteer speaking their language, who then uses the smartphone’s camera to guide them. The service is currently available in 32 languages.

In 2023, the app expanded its capabilities with the release of Be My AI — a virtual assistant powered by OpenAI’s GPT-4. Users take a photo, and the AI analyzes the image to provide a detailed text description, which it also reads aloud. Users can even open a chat window to ask follow-up questions. This got us thinking: could this AI actually spot a phishing site?

As an experiment, we uploaded a screenshot of a fake social media sign-in page to Be My Eyes. On a phone, you can do this by selecting a photo in your gallery or files, hitting Share, and choosing Describe with Be My Eyes. In Windows, you can upload a screenshot directly.

At first, the AI gave us a detailed description of the page. We then followed up in the chat: “Can I trust this page?” The AI flagged the domain name error immediately, advised us to close the fake login page, and suggested typing the official URL directly into the browser, or to use the official Facebook app.

We saw the same positive results when testing a phishing email. In fact, the AI flagged the scam during its initial description of the message. It wrapped up with a warning: “This looks like a suspicious email. It’s best not to open any attachments or click any links. Instead, navigate to the official website or app manually, or call the number listed on their official site”.

Beyond just spotting cyberthreats, Be My AI is a solid sidekick for navigating online stores, banking apps, and digital services. For instance, the AI can help you to:

• Read descriptions, names, and prices when a store’s website or app doesn’t support screen readers or large fonts
• Scan those tricky terms and conditions — often buried in tiny text or otherwise inaccessible to a screen reader — when you’re signing up for a subscription or opening a bank account
• Pull key info directly from product cards or instruction manuals

The risks of relying on Be My AI

The most common hiccup with AI is hallucinations, where the language model distorts text, skips crucial details, or invents words out of thin air. When it comes to cyberthreats, an AI’s misplaced confidence in a malicious site or email can be dangerous. Furthermore, AI isn’t immune to prompt injection attacks, which scammers use to trick AI agents beyond just Be My AI.

Even though the AI passed our test, you shouldn’t rely on it unquestioningly. There’s no guarantee it’ll get it right every time. This is a vital point for the blind and low-vision community, as a neural network can often feel like the only eyes available.

At the end of every response, Be My AI suggests checking in with a volunteer if you’re still unsure. However, when you’re trying to spot a fake webpage, we advise against this. You have no way of knowing how tech-savvy or trustworthy a random volunteer might be. Besides, you risk accidentally exposing sensitive data like your email address or password. Before connecting with a stranger, make sure they won’t see anything confidential on your screen. Better yet, use the app’s dedicated feature to create a private group of family, friends, or trusted contacts. This ensures your video call goes to people you actually know, rather than a random volunteer.

To stay safe, we recommend installing a trusted security tool on all your devices. These programs are designed to block phishing attempts and prevent you from landing on malicious sites. Another practical recommendation for visually impaired users is to use a password manager. These apps will only auto-fill credentials on the legitimate, saved website; they won’t be fooled by a clever domain spoof.

How Be My AI handles and stores your data

According to the Be My Eyes privacy policy, video calls with volunteers may be recorded and stored to provide the service, ensure safety, enforce the terms of service, and improve the products. When you use Be My AI, your images and text prompts are sent to OpenAI to generate a response. This data is processed on servers located in the U.S., and OpenAI uses it only to fulfill your specific request. The policy explicitly states that user images and queries aren’t used to train AI models.

Photos and videos are encrypted both in transit and at rest, and the company takes steps to strip away sensitive information. It’s worth noting that video call recordings can be retained indefinitely unless you request their deletion — in which case they’re typically wiped within 30 days. Data from Be My AI interactions is stored for up to 30 days unless you delete it manually within the app. If you decide to close your account, your personal data may be held for up to 90 days. At any time, you can opt out of data sharing, or request the deletion of your existing data by contacting the Be My Eyes support team.

How to use Be My Eyes safely

Despite Be My Eyes’ claims regarding privacy, you should still follow a few ground rules when using the service:

• Use Be My AI for a first-pass on suspicious emails or pages, but don’t treat it as the only source of truth. Specialized security software is better at identifying and neutralizing threats.
• If a site, email, or message feels off, don’t touch any links or attachments. Instead, manually type the official website address into your browser, or open the official app to verify the info.
• Remember: a volunteer sees exactly what your camera sees. Make sure it isn’t capturing things it shouldn’t, like a safe code or an open passport. Avoid sharing your name, showing your face, or revealing too much of your surroundings. Be extra careful about reflections that might show you or your personal details. Only show what is absolutely necessary for the task at hand.
• Stick to your inner circle. Create a group in the app and add your friends and family. This ensures your video calls go to people you know — not a random volunteer.
• Don’t use Be My AI to read documents that contain confidential info. Remember, your images and text prompts are sent to OpenAI for processing and generating a response.
• Remember to delete chats you no longer need. Otherwise, they’ll hang around for 30 days.
• If you need to read something personal or confidential, consider apps with real-time reading features like Envision, Seeing AI, or Lookout. These apps process data locally on your device rather than sending it to the cloud.

Kaspersky official blog – ​Read More

• Cisco Talos research has uncovered agentic AI workflow automation platform abuse in emails. Recently, we identified an increase in the number of emails that abuse n8n, one of these platforms, from as early as October 2025 through March 2026. 
• In this blog, Talos provides concrete examples of how threat actors are weaponizing legitimate automation platforms to facilitate sophisticated phishing campaigns, ranging from delivering malware to fingerprinting devices.  
• By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery vehicles for persistent remote access.

---

AI workflow automation platforms such as Zapier and n8n are primarily used to connect different software applications (e.g., Slack, Google Sheets, or Gmail) with AI models (e.g., OpenAI’s GPT-4 or Anthropic’s Claude). These platforms have been applied to different application domains, including cybersecurity over the past few months, especially with the progress that has been made in new avenues like large language models (LLMs) and agentic AI systems. However, much like other legitimate tools, AI workflow automation platforms can be weaponized to orchestrate malicious activities, like delivering malware by sending automated emails.

This blog describes how n8n, one of the most popular AI workflow automation platforms, has been abused to deliver malware and fingerprint devices by sending automated emails.

What is n8n?

N8n is a workflow automation platform that connects web applications and services (including Slack, GitHub, Google Sheets, and others with HTTP-based APIs) and builds automated workflows. A community-licensed version of the platform can be self-hosted by organizations. The commercial service, hosted at n8n.io, includes AI-driven features that can create agents capable of using web-based APIs to pull data from documents and other data sources.

Users can register for an n8n developer account at no initial charge. Doing so creates a subdomain on “tti.app.n8n[.]cloud” from which the user’s applications can be accessed. This is similar to many web-based AI-aided development tools, and one that malicious actors have harnessed elsewhere in the past; earlier this year, Talos observed another AI-oriented web application service, Softr.io, being used for the creation of phishing pages used in a series of targeted attacks.

How n8n’s webhooks work

Talos’ investigation found that a primary point of abuse in n8n’s AI workflow automation platform is its URL-exposed webhooks. A webhook, often referred to as a “reverse API,” allows one application to provide real-time information to another. These URLs register an application as a “listener” to receive data, which can include programmatically pulled HTML content. An example of an n8n webhook URL is shown in Figure 1.

When the URL receives a request, the subsequent workflow steps are triggered, returning results as an HTTP data stream to the requesting application. If the URL is accessed via email, the recipient’s browser acts as the receiving application, processing the output as a webpage.

Talos has observed a significant rise in emails containing n8n webhook URLs over the past year. For example, the volume of these emails in March 2026 was approximately 686% higher than in January 2025. This increase is driven, in part, by several instances of platform abuse, including malware delivery and device fingerprinting, as we will discuss in the next sections.

Abusing n8n for malware delivery

Because webhooks mask the source of the data they deliver, they can be used to serve payloads from untrusted sources while making them appear to originate from a trusted domain. Furthermore, since webhooks can dynamically serve different data streams based on triggering events — such as request header information — a phishing operator can tailor payloads based on the user-agent header.

Talos observed a phishing campaign (shown in Figure 3) that used an n8n-hosted webhook link in emails that purported to be a shared Microsoft OneDrive folder. When clicked, the link opened a webpage in the targeted user’s browser containing a CAPTCHA.

Once the CAPTCHA is completed, a download button appears, triggering a progress bar as the payload is downloaded from an external host. Because the entire process is encapsulated within the JavaScript of the HTML document, the download appears to the browser to have come from the n8n domain.

In this case, the payload was an .exe file named “DownloadedOneDriveDocument.exe” that posed as a self-extracting archive. When opened, it installed a modified version of the Datto Remote Monitoring and Management (RMM) tool and executed a chain of PowerShell commands.

The PowerShell commands generated by the malicious executable extract and configure the Datto RMM tool, configure it as a scheduled task, and then launch it, establishing a connection to a relay on Datto’s “centrastage[.]net” domain before deleting themselves and the rest of the payload.

Talos observed a similar campaign that also utilized an n8n webhook to deliver a different payload. Like the previous instance, it featured a self-contained phishing page delivered as a data stream from the webhook, protected with a CAPTCHA for human verification.

This CAPTCHA code was significantly simpler than the first case. The payload delivered upon solving the CAPTCHA was a maliciously modified Microsoft Windows Installer (MSI) file named “OneDrive_Document_Reader_pHFNwtka_installer.msi”. Protected by the Armadillo anti-analysis packer, the payload deployed a different backdoor: the ITarian Endpoint Management RMM tool. When executed by “msiexec.exe”, the file installs a modified version of the ITarian Endpoint RMM, which acts as a backdoor while running Python modules to exfiltrate information from the target’s system. During this process, a fake installer GUI displays a progress bar; once finished, the bar resets to 0% and the application exits, creating the illusion of a failed installation.

Abusing n8n for fingerprinting 

Talos observed another common abuse case: device fingerprinting. This is achieved by embedding an invisible image (or tracking pixel) within an email. For example, when the <img> HTML tag is used, it tells the email client (e.g., Outlook or Gmail) to fetch an image from a specific URL. Figure 9 shows an example spam email in the Spanish language that leverages this technique.

When the email client attempts to load the image, it automatically sends an HTTP GET request to the specified address, which is an n8n webhook URL. These URLs include tracking parameters (such as the victim’s email address), allowing the server to identify exactly which user opened the email. Also, it is clear how this image is made invisible by using the “display” and “opacity” CSS properties.

The second example below uses the same technique to track email opens and fingerprint the recipient’s device. Here, the sender tries to get a hold of recipient by introducing a new gift card feature.

Conclusion

The same workflows designed to save developers hours of manual labor are now being repurposed to automate the delivery of malware and fingerprinting devices due to their flexibility, ease of integration, and seamless automation. As we continue to leverage the power of low-code automation, it’s the responsibility of security teams to ensure these platforms and tools remain assets rather than liabilities.

Protection

Because several AI automation platforms exist today that are inherently designed to be flexible and trustworthy, the security community must move beyond simple static analysis to effectively counter their abuse. For instance, instead of blocking entire domains, which would disrupt legitimate business workflows, security researchers should investigate behavioral detection approaches. These should trigger alerts when high volumes of traffic are directed toward such platforms from unexpected internal sources. Similarly, if an endpoint attempts to communicate with an AI automation platform’s domain (e.g., “n8n.cloud”) that is not part of the organization’s authorized workflow, it should trigger an immediate alert.

Collaborative intelligence sharing is another effective approach to countering malicious email campaigns. Security teams should prioritize sharing indicators of compromise (IOCs) — such as specific webhook URL structures, malicious file hashes, and command and control (C2) domains — with platforms like Cisco Talos Intelligence.

Last but not least, safeguarding against these complex threats necessitates a comprehensive email security solution that utilizes AI-driven detection. Secure Email Threat Defense employs distinctive deep learning and machine learning models, incorporating Natural Language Processing, within its sophisticated threat detection systems. It detects harmful techniques employed in attacks against your organization, extracts unmatched context for particular business risks, offers searchable threat data, and classifies threats to identify which sectors of your organization are most at risk of attack. You can register now for a free trial of Email Threat Defense.

IOCs 

IOCs for this threat also available on our GitHub repository here. 

93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a 
7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0 
hxxps[://]onedrivedownload[.]zoholandingpage[.]com/my-workspace/DownloadedOneDrive 
hxxps[://]majormetalcsorp[.]com/Openfolder 
hxxps[://]pagepoinnc[.]app[.]n8n[.]cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496 
hxxps[://]monicasue[.]app[.]n8n[.]cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab 

Cisco Talos Blog – ​Read More

It’s one of those coincidences: independent university research teams stumble onto something new and prep their papers for publication — only to realize they’ve solved the exact same puzzle using slightly different methods. That’s exactly what happened with GDDRHammer and GeForge. These two studies describe Rowhammer-style attacks that are so similar the researchers decided to publish them as a joint effort. Then, while we were putting this post together, a third study surfaced — GPUBreach — detailing yet another comparable attack. So today we’re looking at all three.

All three theoretical attacks target graphics accelerators, though this term is not entirely accurate anymore since these devices are so good at parallel processing, they’ve moved far beyond just rendering frames in a game and are now the backbone of AI systems. It’s this industrial use case that is most at risk. Picture a cloud provider renting out GPU resources to all comers. These new attacks demonstrate how, in theory, a single malicious customer could go beyond seizing control of an accelerator to compromise the entire server, access sensitive data, and potentially hack the provider’s entire infrastructure. Let’s break down why this kind of attack is even possible.

Rowhammer in a nutshell

We covered Rowhammer in-depth in previous posts, but here’s the quick version. The original attack was first proposed back in 2014, and it exploits the actual physical properties of RAM chips. Individual memory cells are simple components arranged in tight rows. In theory, reading or writing to one cell shouldn’t affect its neighbors. However, because these chips are packed so densely — with millions or even billions of cells per chip — writing to one spot can sometimes modify the cells next to it.

The 2014 study showed that this isn’t just a recipe for random data corruption; it can be weaponized. By repeatedly accessing (or “hammering”, hence the name) a specific area of memory, an attacker can intentionally flip bits in adjacent cells. If an attacker manages to flip the right bits, he can bypass critical security measures to snag sensitive data or run unauthorized code with full privileges.

Since that first discovery, we’ve seen a constant arms race between new Rowhammer defenses and clever ways to bypass them. We’ve also seen the attack evolve to target newer standards like DDR4 and DDR5. That’s a key takeaway here: for every new type of memory that hits the market, researchers essentially have to reinvent the attack from scratch.

Attacking GDDR6 video memory

The first Rowhammer attack on GPUs was presented back in 2025, but the results were relatively modest. At the time, researchers were able to force bit-flips in GDDR6 memory cells, and show how that data corruption could degrade the performance of an AI system.

These latest papers, however, warn of much more damaging attacks on video memory. Using slightly different techniques, GDDRHammer and GeForge manipulate the page tables — basically the master structures that track where data lives in the GPU’s memory. This enables an attacker to read or write to any part of the video memory, and even reach into the main system RAM managed by the CPU. Modifications to page tables are possible because the researchers have found a way to hammer memory cells much more efficiently. They pulled this off despite the hardware using Target Row Refresh, a core defense designed specifically to stop Rowhammer. TRR detects repeated access to specific cells, and forces a data refresh in the neighboring rows to hamper the attack. However, the researchers discovered a specific pattern of access that can bypass TRR.

How realistic are these GPU attacks?

As is usually the case with this type of research, pulling off these attacks in the real world comes with a lot of contingencies. First off, different GPUs behave differently. For instance, the GeForge attack was significantly more effective on the consumer-grade GeForce RTX 3060. On the industrial-strength Nvidia RTX A6000, the attack’s efficiency dropped by more than five times — even though both cards use the exact same GDDR6 memory standard. Going back to our hypothetical scenario of a malicious cloud customer: for an attack to work, they’d first need to identify exactly which accelerator they’ve been assigned, then profile their exploit specifically for that hardware. In short, this would have to be an incredibly sophisticated and expensive targeted attack.

It’s also worth noting that GDDR6 isn’t the latest and greatest anymore. Consumer devices are moving to GDDR7, while professional-grade hardware often uses high-speed HBM memory. These systems come with ECC (Error Correction Code), a built-in mechanism that checks data integrity. ECC can actually be enabled on cards like the Nvidia A6000; while it might take a small bite out of performance, it effectively makes both of these attacks impossible.

Another tool available to owners of AI-focused servers is enabling the IOMMU (input–output memory management unit) — a system that isolates the GPU’s memory from the CPU’s memory. This will prevent an attack from escalating from the graphics accelerator to the main processor and compromising the entire server. This is where the third study, GPUBreach, comes into play. Its main differentiator from GDDRHammer and GeForge is that it can actually bypass even IOMMU protection! It pulls this off by exploiting some fairly traditional bugs found in NVIDIA drivers.

So, despite the existing hurdles, these three studies prove that Rowhammer attacks remain a potent threat. This is especially true in our current AI boom, which relies on massive, expensive, and potentially vulnerable infrastructure packed with dozens or even hundreds of thousands of computing devices. The Rowhammer timeline goes to show that technical barriers almost never hold for long. In standard RAM, researchers have managed to bypass not only basic fixes like Target Row Refresh, but also more advanced — and theoretically bulletproof — solutions like ECC memory. While the extreme complexity of these exploits means they’ll likely never become a mass-market threat, for anyone running expensive computing systems, they’re definitely a risk factor that can’t be ignored.

Kaspersky official blog – ​Read More