QSnatch malware targets QNAP NAS devices

QSnatch malware targets QNAP NAS devices

Cyber criminals are using QSnatch malware to target vulnerable QNAP Network Attached Storage (NAS) devices.

In a joint alert, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Centre (NCSC) said they are investigating a strain of malware dubbed QSnatch since late 2019.

According to the joint alert, CISA and NCSC said actors are using QSnatch to target vulnerable Network Attached Storage (NAS) devices manufactured by the firm QNAP:

“All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. The malware, documented in open-source reports, has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe. Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates.”


Although the most recent campaign that ended in 2019 is not currently active, CISA and NCSC said the threat still exists for unpatched QNAP devices.

As recently as mid-June this year, analysis revealed nearly 62,000 infected devices worldwide. Of those, approximately 7,600 were hosted in the United States and 3,900 were in the United Kingdom.

Just this past May, security researchers warned that nearly 450,000 vulnerable QNAS NAS devices were exposed to the internet. At that time, four vulnerabilities were discovered in QNAP PhotoStation and CGI programs.

Malware functionality

The advisory points out these primary QSnatch malware functions:

  • CGI password logger (logging successful authentications).
  • Credential scraper.
  • SSH backdoor (used to execute arbitrary code on impacted device).
  • Steal sensitive configuration and log files.
  • Webshell functionality for remote access.

Related Articles