{
	"id": "cc602a00-4347-4434-a569-04927ea3c5d2",
	"created_at": "2026-04-06T00:12:36.959083Z",
	"updated_at": "2026-04-10T03:23:51.192513Z",
	"deleted_at": null,
	"sha1_hash": "8b3e393bec8d48f79bd7d3f567001d9e8070d924",
	"title": "Synology warns of malware infecting NAS devices with ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 798122,
	"plain_text": "Synology warns of malware infecting NAS devices with ransomware\r\nBy Sergiu Gatlan\r\nPublished: 2021-08-09 · Archived: 2026-04-05 15:36:26 UTC\r\nTaiwan-based NAS maker Synology has warned customers that the StealthWorker botnet is targeting their network-attached\r\nstorage devices in ongoing brute-force attacks that lead to ransomware infections.\r\nAccording to Synology's PSIRT (Product Security Incident Response Team), Synology NAS devices compromised in these\r\nattacks are later used in further attempts to breach more Linux systems.\r\n\"These attacks leverage a number of already infected devices to try and guess common administrative credentials, and if\r\nsuccessful, will access the system to install its malicious payload, which may include ransomware,\" Synology said in a\r\nsecurity advisory.\r\nhttps://www.bleepingcomputer.com/news/security/synology-warns-of-malware-infecting-nas-devices-with-ransomware/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/synology-warns-of-malware-infecting-nas-devices-with-ransomware/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Devices infected may carry out additional attacks on other Linux based devices, including Synology NAS.\"\r\nThe company is coordinating with multiple CERT organizations worldwide to take down the botnet's infrastructure by\r\nshutting down all detected command-and-control (C2) servers.\r\nSynology is working on notifying all potentially impacted customers of these ongoing attacks targeting their NAS devices.\r\nHow to defend against these attacks\r\nThe NAS maker urges all system admins and customers to change weak administrative credentials on their systems, to\r\nenable account protection and auto block, and to set up multi-factor authentication where possible.\r\nSynology rarely issues security advisories warning of active attacks against its customers. The last alert regarding\r\nransomware infections following successful large-scale brute-force attacks was published in July 2019.\r\nThe company advised users to go through the following checklist to defend their NAS devices against attacks:\r\nUse a complex and strong password, and Apply password strength rules to all users.\r\nCreate a new account in the administrator group and disable the system default \"admin\" account.\r\nEnable Auto Block in Control Panel to block IP addresses with too many failed login attempts.\r\nRun Security Advisor to make sure there is no weak password in the system.\r\n\"To ensure the security of your Synology NAS, we strongly recommend you enable Firewall in Control Panel and only\r\nallow public ports for services when necessary, and enable 2-step verification to prevent unauthorized login attempts,\" the\r\ncompany added.\r\n\"You may also want to enable Snapshot to keep your NAS immune to encryption-based ransomware.\"\r\nSynology provides more information on defending your NAS device against ransomware infections here.\r\nBrute-force malware targeting Windows and Linux machines\r\nWhile Synology did not share more information regarding the malware using in this campaign, the shared details line up\r\nwith a Golang-based brute forcer discovered by Malwarebytes at the end of February 2019 and dubbed StealthWorker.\r\nTwo years ago, StealthWorker was used to compromise e-commerce websites by exploiting Magento, phpMyAdmin, and\r\ncPanel vulnerabilities to deploy skimmers designed to exfiltrate payment and personal information.\r\nHowever, as Malwarebytes noted at the time, the malware also has brute force capabilities that enable it to log into Internet-exposed devices using passwords generated on the spot or from lists of previously compromised credentials.\r\nStarting with March 2019, StealthWorker operators switched to a brute force-only approach scanning the Internet for\r\nvulnerable hosts with weak or default credentials.\r\nOnce deployed on a compromised machine, the malware creates scheduled tasks on both Windows and Linux to gain\r\npersistence and, as Synology, warned deploys second-stage malware payloads, including ransomware. \r\nWhile the NAS maker didn't issue a security advisory, customers reported in January that they had their devices infected\r\nwith Dovecat Bitcoin cryptojacking malware [1, 2] starting with November 2020, in a campaign that also targeted QNAP\r\nNAS devices.\r\nUpdate August 10:A Synology spokesperson sent BleepingComputer the following statement:\r\nWe originally became aware of this attack at the end of July. Over the 2-3 weeks since then we've received under\r\n50 reports from our customers. Considering the amount of Synology devices out there (over 8 million active\r\ndeployments) we feel the number of devices exposed to this attack is very low. Our team has also noticed a\r\nslowdown in these attacks over the last few days.   \r\nhttps://www.bleepingcomputer.com/news/security/synology-warns-of-malware-infecting-nas-devices-with-ransomware/\r\nPage 3 of 4\n\nAt this point, we're still actively investigating this malware attack and the scripts used. Currently, we believe the\r\nbotnet engages in brute-forcing the \"admin\" account using common password combinations. At this time we have\r\nnot seen the malware try to target any other user accounts. \r\n As mentioned previously our customers first reported this attack at the end of July. We've since sent a notice to\r\naffected customers and sent an additional notice to all Synology users advising them of our best practices and tips\r\non how to secure their NAS. \r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/synology-warns-of-malware-infecting-nas-devices-with-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/synology-warns-of-malware-infecting-nas-devices-with-ransomware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/synology-warns-of-malware-infecting-nas-devices-with-ransomware/"
	],
	"report_names": [
		"synology-warns-of-malware-infecting-nas-devices-with-ransomware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434356,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b3e393bec8d48f79bd7d3f567001d9e8070d924.pdf",
		"text": "https://archive.orkl.eu/8b3e393bec8d48f79bd7d3f567001d9e8070d924.txt",
		"img": "https://archive.orkl.eu/8b3e393bec8d48f79bd7d3f567001d9e8070d924.jpg"
	}
}