{
	"id": "71a93918-fffa-46dc-b240-d422a69cab9f",
	"created_at": "2026-04-06T00:06:07.207735Z",
	"updated_at": "2026-04-10T03:20:38.408464Z",
	"deleted_at": null,
	"sha1_hash": "392cccffc58ee2fae8f1422b3fc2924cbf7c78fb",
	"title": "QSnatch - Malware designed for QNAP NAS devices | NCSC-FI",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38465,
	"plain_text": "QSnatch - Malware designed for QNAP NAS devices | NCSC-FI\r\nPublished: 2019-10-25 · Archived: 2026-04-05 23:01:33 UTC\r\nNCSC-FI received reports via the Autoreporter service during mid October of infected devices attempting to\r\ncommunicate to specific command and control (C2) servers. Originally the malware was designated as Caphaw,\r\nwhich is targeted to Windows-operating systems, but the parameters used in the C2 traffic had strong indications\r\ntowards QNAP-devices, and an investigation was started.\r\nAbout the malware functionality\r\nWhen investigating the related domain names and the requests performed by the malware the functionality and\r\nfeatures of the malware were found in depth. The original infection method remains unknown, but during that\r\nphase malicious code is injected to the firmware of the target system, and the code is then run as part of normal\r\noperations within the device. After this the device has been compromised. The malware uses domain generation\r\nalgorithms to retrieve more malicious code from C2 servers. The retrieval method is \"HTTP GET\r\nhttps://\u003cgenerated-address\u003e/qnap_firmware.xml?=t\u003ctimestamp\u003e\", and this request is a strong indicator of\r\ncompromise.\r\nThe retrieved code will then be executed within the operating system with system rights. At this phase at least the\r\nfollowing will be done:\r\nOperating system timed jobs and scripts are modified (cronjob, init scripts)\r\nFirmware updates are prevented via overwriting update sources completely\r\nQNAP MalwareRemover App is prevented from being run\r\nAll usernames and passwords related to the device are retrieved and sent to the C2 server\r\nThe malware has modular capacity to load new features from the C2 servers for further activities\r\nCall-home activity to the C2 servers is set to run with set intervals\r\nThe malware was named QSnatch based on the target system and the \"snatching\" activity the malware performs.\r\nCleansing an infected device\r\nThe malware can be removed from an infected device with two possible methods: performing a full factory reset\r\n(effectively destroying all stored data within the device). Another unconfirmed method is to apply an update\r\nprovided by the vendor (see link below). NCSC-FI has not been able to confirm whether the update actually\r\nremoves the malware, and this is also acknowledged by the manufacturer. After cleansing the device further steps\r\nare required:\r\nChange all passwords for all accounts on the device\r\nRemove unknown user accounts from the device\r\nMake sure the device firmware is up-to-date and all of the applications are also updated\r\nRemove unknown or unused applications from the device\r\nhttps://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices\r\nPage 1 of 2\n\nInstall QNAP MalwareRemover application via the App Center functionality\r\nSet an access control list for the device (Control panel -\u003e Security -\u003e Security level)\r\nIn case of further assistance we recommend contacting QNAP support (see link below).\r\nNCSC-FI recommends that NAS devices are categorically not exposed to the internet without firewalling to\r\nprevent external attacks. Additionally constant updates will provide protection against vulnerabilities found within\r\nthe systems.\r\nUpdate Nov 4th 2019\r\nQNAP has released updated instructions and a version of their MalwareRemover app for detecting and cleaning\r\nup infected devices.\r\nNCSC-FI would like to thank Doina Cosovan of SecurityScorecard for providing us with the initial information\r\nand collaboration in investigating this threat.\r\nSource: https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices\r\nhttps://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices"
	],
	"report_names": [
		"qsnatch-malware-designed-qnap-nas-devices"
	],
	"threat_actors": [],
	"ts_created_at": 1775433967,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/392cccffc58ee2fae8f1422b3fc2924cbf7c78fb.pdf",
		"text": "https://archive.orkl.eu/392cccffc58ee2fae8f1422b3fc2924cbf7c78fb.txt",
		"img": "https://archive.orkl.eu/392cccffc58ee2fae8f1422b3fc2924cbf7c78fb.jpg"
	}
}