SecPod

Learn Search

Search across all Learn content

← Back to Security Research

Qsnatch snatching credentials in an ongoing Campaign

QSnatch, the new malware in town has already affected thousands of devices and wouldn’t call it quits. This malware was first discovered in October 2019 by the National Cyber Security Center of Finland (NCSC-FI) after it received reports via the Autoreporter service indicating the communication of i...

Nov 8, 2019By Vidita V Koushik2 min read

QSnatch, the new malware in town has already affected thousands of devices and wouldn’t call it quits. This malware was first discovered in October 2019 by the National Cyber Security Center of Finland (NCSC-FI) after it received reports via the Autoreporter service indicating the communication of infected QNAP NAS devices with specific command and control servers.

This malware was initially designated as CAPHAW targeting Windows systems. However, an in-depth analysis of the C2 traffic pointed out the strong inclination of the malware towards infecting QNAP NAS devices. This malware is known to inject malicious code into the firmware which runs as a part of normal operations on the device. Upon full compromise of the device, the malware uses domain generation algorithms to fetch malicious code which is used to perform a range of operations on the device.

The various functionalities of the malware as pointed out by NCSC-FI are:

  • Operating system timed jobs and scripts are modified (cronjob, init scripts)
  • Firmware updates are prevented via overwriting update sources completely
  • QNAP MalwareRemover App is prevented from being run
  • All usernames and passwords related to the device are retrieved and sent to the C2 server
  • The malware has modular capacity to load new features from the C2 servers for further activities
  • Call-home activity to the C2 servers is set to run with set intervals

Affected Products

QNAP Network Attached Storage (NAS) devices.

Impact

The malware compromises a device and modifies operating system timed jobs and scripts, prevents installation of new firmware updates and steals usernames and passwords.

SolutionQNAP has released Malware Remover 3.5.4.0 and 4.5.4.0 with new rules to remove the QSnatch malware. QNAP has also detailed the steps to avoid attacks in its advisory. The report published by NCSC-FI includes the necessary steps to cleanse an infected device.

We strongly recommend all system administrators to follow the security guidelines provided by the vendor to avoid any instances of attack.

Featured Posts

Open CVE-2026-31431: From 732 Bytes to Root - Anatomy of a Modern Linux Privilege Escalation

CVE-2026-31431: From 732 Bytes to Root - Anatomy of a Modern Linux Privilege Escalation

CVE Research

CVE-2026-31431: From 732 Bytes to Root - Anatomy of a Modern Linux Privilege Escalation

Jun 24, 2026

Open CVE-2026-31431: The Nine-Year Kernel Bug Hiding in Plain Sight

CVE-2026-31431: The Nine-Year Kernel Bug Hiding in Plain Sight

CVE Research

CVE-2026-31431: The Nine-Year Kernel Bug Hiding in Plain Sight

Jun 23, 2026

Open Squidbleed: A 29-Year-Old Squid Proxy Flaw That Leaks Cleartext HTTP Requests
Squidbleed: A 29-Year-Old Squid Proxy Flaw That Leaks Cleartext HTTP Requests

CVE Research

Squidbleed: A 29-Year-Old Squid Proxy Flaw That Leaks Cleartext HTTP Requests

Jun 23, 2026

Open AryStinger Malware Leverages 4,300+ Legacy Routers to Establish Persistent Spy Infrastructure
AryStinger Malware Leverages 4,300+ Legacy Routers to Establish Persistent Spy Infrastructure

CVE Research

AryStinger Malware Leverages 4,300+ Legacy Routers to Establish Persistent Spy Infrastructure

AryStinger represents a calculated shift in IoT threat methodology, abandoning noisy, destructive payloads in favor of silent, long-term reconnaissance infrastructure. By exploiting unpatched, end-of-life routers and NAS devices through decade-old vulnerabilities, the threat operator has assembled a distributed fleet of over 4,300 Executor nodes capable of conducting parallelized DNS enumeration, port scanning, and service fingerprinting at scale, all while masking origin behind residential IP addresses. With active development ongoing and a potential operational timeline stretching back to 2024, AryStinger underscores a growing and underappreciated risk: forgotten edge hardware is not merely a compliance gap but exploitable infrastructure.

Jun 23, 2026

Qsnatch snatching credentials in an ongoing Campaign | SecPod