Tuesday, May 13, 2025
HomeComputer SecurityCISA Warns that More than 62,000 QNAP NAS Devices Affected with QSnatch...

CISA Warns that More than 62,000 QNAP NAS Devices Affected with QSnatch Malware

Published on

SIEM as a Service

Follow Us on Google News

CISA and NCSC warn that more than 62,000 QNAP NAS devices infected with a malware strain known as QSnatch. All QNAP NAS devices are affected if the latest security fixes are not applied.

The campaign found to be active since late 2019, and they primarily target Network Attached Storage (NAS) devices manufactured by the firm QNAP.

QSnatch Malware Campaign

CISA and NCSC discovered that two campaigns of QSnatch malware activity;

  1. The first campaign began in early 2014 and continued until mid-2017
  2. The second campaign starts in late 2018 and was still active in late 2019.
- Advertisement - Google News

“This alert focuses on the second campaign as it is the most recent threat. It is important to note that infrastructure used by the malicious cyber actors in both campaigns is not currently active, but the threat remains to unpatched devices.,” CISA said.

The malware is highly sophisticated, and its infection vector has not been identified. It appears the malware directly gets inject to the device firmware during the infection stage and the malicious code runs within the device compromising it.

Following are the malware functionalities

  • CGI password logger
  • Credential scraper
  • SSH backdoor
  • Exfiltration
  • Webshell functionality for remote access

C2 communication established using a domain generation algorithm (DGA) that generates multiple domain names for use in C2 communications.

For maintaining persistence the malware prevents installing updates with the infected QNAP device by modifying the host’s file.

According to CISA analysis, “in mid-June 2020, there were approximately 62,000 infected devices worldwide; of these, approximately 7,600 were in the United States and 3,900 were in the United Kingdom.”

CISA and NCSC recommend organizations running a vulnerable version must run a full factory reset on the device before completing the firmware upgrade to ensure the device is not left vulnerable. Also, CISA provides mitigations for organizations.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

Hackers Infect More than 500,000 Routers Worldwide with a Potentially Destructive VPNFilter Malware

New eCh0raix Ransomware Attacking Linux File Storage Servers

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Researchers Uncover Remote IT Job Fraud Scheme Involving North Korean Nationals

The United States indicted fourteen North Korean nationals for orchestrating a sophisticated scheme to...

Attackers Leverage Unpatched Output Messenger 0‑Day to Deliver Malicious Payloads

A Türkiye-affiliated espionage threat actor, tracked by Microsoft Threat Intelligence as Marbled Dust (also...

Cobalt Strike 4.11.1 Released With SSL Checkbox Fix

Cobalt Strike has announced the release of version 4.11.1, an out-of-band update addressing several...

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researchers Uncover Remote IT Job Fraud Scheme Involving North Korean Nationals

The United States indicted fourteen North Korean nationals for orchestrating a sophisticated scheme to...

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...