Signal

Widespread infostealer campaigns and n8n webhook abuse highlight evolving cyber threats

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-04-15 10:37 UTCUpdated 2026-04-15 17:09 UTC

rss

malwarethreat_actorssecurity_toolingincident_response

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (2)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (2 domains)

2 top sources shown

n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails

thehackernews · News · thehackernews.com · 2026-04-15 17:09 UTC

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

Malwarebytes Threat Analysis · News · malwarebytes.com · 2026-04-15 10:37 UTC

limited source diversity in top sources

View all evidence

Overview

Recent investigations reveal multiple campaigns distributing the NWHStealer infostealer through diverse lures including fake VPN installers, hardware utilities, and gaming mods.

Entities

Proton VPNMalwarebytesn8nNWHStealer

Score total

0.96

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

NWHStealer campaigns are actively spreading through diverse and convincing lures as of April 2026.
n8n webhook abuse has been ongoing since October 2025, highlighting persistent exploitation of productivity tools.
Recent disclosures emphasize the need for vigilance against multi-vector malware distribution and automation misuse.

Why it matters

NWHStealer targets sensitive browser and cryptocurrency data, risking account compromise and financial loss.
Abuse of trusted automation platforms like n8n enables attackers to bypass security filters and scale phishing attacks.
Understanding these evolving tactics aids defenders in improving detection and response strategies.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: medium

Recurring claims

NWHStealer infostealer is distributed using fake VPN installers, hardware utilities, and gaming mods to steal browser and cryptocurrency data
Threat actors have abused n8n webhooks since October 2025 to automate phishing emails delivering malware, bypassing security filters

How sources frame it

Malwarebytes Threat Analysis: neutral
The Hacker News: neutral

All evidence

n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails

thehackernews · thehackernews.com · 2026-04-15 17:09 UTC

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

Malwarebytes Threat Analysis · malwarebytes.com · 2026-04-15 10:37 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 2 / 0

Top publishers (this list)

thehackernews (1)
Malwarebytes Threat Analysis (1)

Top origin domains (this list)

thehackernews.com (1)
malwarebytes.com (1)