Reading further along in the forum, the `walter` thing sounds like it's only present in test code and comments.
The actual backdoor looks like the `jisoosocoolhbsmgnt` session ID [1] that was removed in the update [2]. It looks like a hardcoded session ID used for tests [3]. Leaving something like that hardcoded and active in the production code is inexcusable.
https://forum.qnap.com/viewtopic.php?f=45&t=160849&start=450...