FeiNiu NAS Devices Compromised by NetDragon Botnet Exploiting Unpatched Vulnerabilities
A significant cybersecurity threat has emerged targeting FeiNiu (fnOS) Network Attached Storage (NAS) devices. These systems have become the focal point of the NetDragon botnet, a sophisticated malware strain first identified in October 2024. Attackers are exploiting undisclosed vulnerabilities within the fnOS platform to implant malicious code, marking a shift from indiscriminate infections to targeted assaults on critical storage infrastructure.
Infection Mechanism
The intrusion begins with the exploitation of exposed services on FeiNiu NAS devices, allowing attackers to deploy an HTTP backdoor interface. Upon gaining access, they install a modular malware system comprising a loader and a Distributed Denial-of-Service (DDoS) attack component. This configuration enables remote execution of arbitrary commands and enlists the compromised devices into a botnet network. Subsequently, these units are utilized to launch large-scale DDoS attacks against various targets.
Alarmingly, the malware has been observed deleting a critical private key file, `rsa_private_key.pem`, on the affected devices. This action poses a severe and potentially irreversible risk to data security, as the loss of this key can render encrypted data inaccessible.
Scope of the Attack
By the end of January 2026, analysts from Qi An Xin X Lab reported that approximately 1,500 FeiNiu NAS devices had been infected. The victims are geographically dispersed, with significant concentrations in China, the United States, and Singapore. The affected entities span multiple industries, including software services and public administration, highlighting the widespread impact of this campaign.
Persistence and Evasion Tactics
The NetDragon malware employs aggressive persistence and evasion strategies to maintain control over the compromised devices. It establishes a dual foothold by creating systemd services in the user space and kernel modules in the kernel space. This redundancy ensures that even if one component is identified and removed, the other can reinstate the malware upon system reboot.
To further entrench itself, the malware sabotages the device’s maintenance capabilities. It modifies the system’s `hosts` file to redirect the official update domain to `0.0.0.0`, effectively blocking the NAS from downloading security patches or performing system upgrades.
To remain undetected by administrators, NetDragon employs dynamic key packing to obfuscate its code, complicating analysis. It also deletes system logs and manipulates process lists to conceal its running tasks. During active attacks, it disrupts network monitoring tools to mask the surge in traffic, making detection and mitigation more challenging.
Mitigation and Recovery
Recovering from this infection requires meticulous manual intervention, as standard updates are disabled. Users should first remove any manipulated firewall rules from `nft` and `iptables` that the malware injected to block removal efforts. It is critical to locate and delete the malicious kernel module named `async_memcpys.ko` and the user-mode service `dockers.service`.
Additionally, administrators must restore the system’s update path by correcting the `hosts` file and should monitor for the backdoor port 57199 to prevent reinfection. Implementing robust security measures, such as regular firmware updates, network segmentation, and continuous monitoring, is essential to safeguard against such sophisticated threats.
