{
	"id": "b8c211b1-0541-4364-a721-79b59f7b010d",
	"created_at": "2026-04-06T00:21:17.292478Z",
	"updated_at": "2026-04-10T03:21:32.513297Z",
	"deleted_at": null,
	"sha1_hash": "20690f1da9e4c804716b0bd985b138b7e38920f3",
	"title": "Potential Legacy Risk from Malware Targeting QNAP NAS Devices | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74372,
	"plain_text": "Potential Legacy Risk from Malware Targeting QNAP NAS\r\nDevices | CISA\r\nPublished: 2020-08-06 · Archived: 2026-04-05 13:36:59 UTC\r\nSummary\r\nThis is a joint alert from the United States Cybersecurity and Infrastructure Security Agency (CISA) and the\r\nUnited Kingdom’s National Cyber Security Centre (NCSC).\r\nCISA and NCSC are investigating a strain of malware known as QSnatch, which attackers used in late 2019 to\r\ntarget Network Attached Storage (NAS) devices manufactured by the firm QNAP.  \r\nAll QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security\r\nfixes. The malware, documented in open-source reports, has infected thousands of devices worldwide with a\r\nparticularly high number of infections in North America and Europe. Further, once a device has been infected,\r\nattackers can prevent administrators from successfully running firmware updates.\r\nThis alert summarizes the findings of CISA and NCSC analysis and provides mitigation advice.\r\nClick here for a PDF version of this report from NCSC.\r\nFor a downloadable copy of IOCs, see STIX file.\r\nTechnical Details\r\nCampaigns  \r\nCISA and NCSC have identified two campaigns of activity for QSnatch malware. The first campaign likely began\r\nin early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019.\r\nThe two campaigns are distinguished by the initial payload used as well as some differences in capabilities. This\r\nalert focuses on the second campaign as it is the most recent threat.  \r\nIt is important to note that infrastructure used by the malicious cyber actors in both campaigns is not currently\r\nactive, but the threat remains to unpatched devices.  \r\nAlthough the identities and objectives of the malicious cyber actors using QSnatch are currently unknown, the\r\nmalware is relatively sophisticated, and the cyber actors demonstrate an awareness of operational security.\r\nGlobal distribution of infections  \r\nAnalysis shows a significant number of infected devices. In mid-June 2020, there were approximately 62,000\r\ninfected devices worldwide; of these, approximately 7,600 were in the United States and 3,900 were in the United\r\nKingdom. Figure 1 below shows the location of these devices in broad geographic terms.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-209a\r\nPage 1 of 4\n\nFigure 1: Locations of QNAP NAS devices infected by QSnatch\r\nDelivery and exploitation\r\nThe infection vector has not been identified, but QSnatch appears to be injected into the device firmware during\r\nthe infection stage, with the malicious code subsequently run within the device, compromising it. The attacker\r\nthen uses a domain generation algorithm (DGA)—to establish a command and control (C2) channel that\r\nperiodically generates multiple domain names for use in C2 communications—using the following HTTP GET\r\nrequest:\r\nHTTP GET https://[generated-address]/qnap_firmware.xml?=t[timestamp] [1]\r\nMalware functionalities  \r\nAnalysis shows that QSnatch malware contains multiple functionalities, such as:  \r\nCGI password logger \r\nThis installs a fake version of the device admin login page, logging successful authentications and\r\npassing them to the legitimate login page.\r\nCredential scraper\r\nSSH backdoor  \r\nThis allows the cyber actor to execute arbitrary code on a device.\r\nExfiltration\r\nWhen run, QSnatch steals a predetermined list of files, which includes system configurations and\r\nlog files. These are encrypted with the actor’s public key and sent to their infrastructure over\r\nHTTPS.\r\nWebshell functionality for remote access\r\nPersistence\r\nThe malware appears to gain persistence by preventing updates from installing on the infected QNAP device. The\r\nattacker modifies the system host’s file, redirecting core domain names used by the NAS to local out-of-date\r\nversions so updates can never be installed.  \r\nSamples\r\nThe following tables provide hashes of related QSnatch samples found in open-source malware repositories. File\r\ntypes fall into two buckets: (1) shell scripts (see table 1) and (2) shell script compiler (SHC)-compiled executable\r\nand linking format (ELF) shell scripts (see table 2). One notable point is that some samples intentionally patch the\r\ninfected QNAP for Samba remote code execution vulnerability CVE-2017-7494.  \r\nTable 1: QSnatch samples – shell scripts\r\nSH Samples (SHA256)\r\n09ab3031796bea1b8b79fcfd2b86dac8f38b1f95f0fce6bd2590361f6dcd6764\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-209a\r\nPage 2 of 4\n\nSH Samples (SHA256)\r\n3c38e7bb004b000bd90ad94446437096f46140292a138bfc9f7e44dc136bac8d\r\n8fd16e639f99cdaa7a2b730fc9af34a203c41fb353eaa250a536a09caf78253b\r\n473c5df2617cee5a1f73880c2d66ad9668eeb2e6c0c86a2e9e33757976391d1a\r\n55b5671876f463f2f75db423b188a1d478a466c5e68e6f9d4f340396f6558b9f\r\n9526ccdeb9bf7cfd9b34d290bdb49ab6a6acefc17bff0e85d9ebb46cca8b9dc2\r\n4b514278a3ad03f5efb9488f41585458c7d42d0028e48f6e45c944047f3a15e9\r\nfa3c2f8e3309ee67e7684abc6602eea0d1d18d5d799a266209ce594947269346\r\n18a4f2e7847a2c4e3c9a949cc610044bde319184ef1f4d23a8053e5087ab641b\r\n9791c5f567838f1705bd46e880e38e21e9f3400c353c2bf55a9fa9f130f3f077\r\na569332b52d484f40b910f2f0763b13c085c7d93dcdc7fea0aeb3a3e3366ba5d\r\na9364f3faffa71acb51b7035738cbd5e7438721b9d2be120e46b5fd3b23c6c18\r\n62426146b8fcaeaf6abb24d42543c6374b5f51e06c32206ccb9042350b832ea8\r\n5cb5dce0a1e03fc4d3ffc831e4a356bce80e928423b374fc80ee997e7c62d3f8\r\n5130282cdb4e371b5b9257e6c992fb7c11243b2511a6d4185eafc0faa0e0a3a6\r\n15892206207fdef1a60af17684ea18bcaa5434a1c7bdca55f460bb69abec0bdc\r\n3cb052a7da6cda9609c32b5bafa11b76c2bb0f74b61277fecf464d3c0baeac0e\r\n13f3ea4783a6c8d5ec0b0d342dcdd0de668694b9c1b533ce640ae4571fdbf63c\r\nTable 2: QSnatch samples – SHC-compiled ELF shell scripts\r\nSH Samples (SHA256)\r\n18a4f2e7847a2c4e3c9a949cc610044bde319184ef1f4d23a8053e5087ab641b\r\n3615f0019e9a64a78ccb57faa99380db0b36146ec62df768361bca2d9a5c27f2\r\n845759bb54b992a6abcbca4af9662e94794b8d7c87063387b05034ce779f7d52\r\n6e0f793025537edf285c5749b3fcd83a689db0f1c697abe70561399938380f89\r\nMitigations\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-209a\r\nPage 3 of 4\n\nAs stated above, once a device has been infected, attackers have been known to make it impossible for\r\nadministrators to successfully run the needed firmware updates. This makes it extremely important for\r\norganizations to ensure their devices have not been previously compromised. Organizations that are still\r\nrunning a vulnerable version should take the following steps to ensure the device is not left vulnerable:\r\nScan the device with the latest version of Malware Remover, available in QNAP App Center, to detect\r\nand remove QSnatch or other malware.\r\nIf the installation via App Center fails, manually install Malware Remover following this QNAP\r\ntutorial, or contact QNAP Technical Support for further assistance.\r\nRun a full factory reset on the device.\r\nUpdate the firmware to the latest version.\r\nThe usual checks to ensure that the latest updates are installed still apply. To prevent reinfection, this\r\nrecommendation also applies to devices previously infected with QSnatch but from which the malware has\r\nbeen removed.\r\nTo prevent QSnatch malware infections, CISA and NCSC strongly recommend that organizations take the\r\nrecommended measures in QNAP’s November 2019 advisory.[2]\r\nCISA and NCSC also recommend organizations consider the following mitigations:  \r\nVerify that you purchased QNAP devices from reputable sources.  \r\nIf sources are in question then, in accordance with the instructions above, scan the device with the\r\nlatest version of the Malware Remover and run a full factory reset on the device prior to\r\ncompleting the firmware upgrade. For additional supply chain recommendations, see CISA’s tip\r\non Securing Network Infrastructure Devices.\r\nBlock external connections when the device is intended to be used strictly for internal storage.\r\nReferences\r\n[1] QSnatch - Malware designed for QNAP NAS devices\r\n[2] QNAP: Security Advisory for Malware QSnatch\r\nRevisions\r\nJuly 27, 2020: Initial Version|August 4, 2020: Updated Mitigations section|August 6, 2020: Updated Mitigations\r\nsection\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa20-209a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-209a\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/aa20-209a"
	],
	"report_names": [
		"aa20-209a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434877,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20690f1da9e4c804716b0bd985b138b7e38920f3.pdf",
		"text": "https://archive.orkl.eu/20690f1da9e4c804716b0bd985b138b7e38920f3.txt",
		"img": "https://archive.orkl.eu/20690f1da9e4c804716b0bd985b138b7e38920f3.jpg"
	}
}