I think if your QNap unit isn't reachable from the internet, i.e. you don't have inbound ports open on your router then I cant see how the malware could reach it unless it is infected through its contact with the cloud backup or from a machine on the LAN side - so I thought the advice in that forum to scan for any open inbound ports and then disable UPnP if it is found seemed pretty sound. It looks like the actual route of infection isn't understood yet so it's either going to come through an open inbound port or by inadvertently downloading something onto the local network which then gets into the NAS, so just the Qnap best practice recommendations on updating and locking down the Qnap are also worth doing as well as ensuring that there are no inbound ports that can get to the Qnap.