Printer maker Procolored offered malware-laced drivers for months

For at least half a year, the official software supplied with Procolored printers included malware in the form of a remote access trojan and a cryptocurrency stealer.

Procolored is a digital printing solutions provider making Direct-to-Film (DTF), UV DTF, UV, and Direct-to-Garment (DTG) printers. It is particularly known for affordable and efficient fabric printing solutions.

The Shenzhen-based company has grown quickly since it started in 2018, and is now selling its products in over 31 countries, with a significant operational presence in the United States.

Cameron Coward, a YouTuber known as Serial Hobbyism, discovered the malware when his security solution warned of the presence of the Floxif USB worm on his computer when installing the companion software and drivers for a $7,000 Procolored UV printer.

An analysis conducted by researchers at cybersecurity company G Data, Procolored’s official software packages delivered the malware for at least six months.

Discovering RATs and coin stealers

After getting the threat alerts on his machine, Coward contacted Procolored, who denied shipping malware in their software, pointing to the security solution generating false positives.

"If I try to download the files from their website or unzip the files on the USB drive they gave me, my computer immediately quarantines them," the YouTuber said.

Perplexed by the situation, the YouTuber turned to Reddit for help with malware analysis before he could confidently make allegations in his review of the Procolored V11 Pro product.

G Data researcher Karsten Hahn offered to investigate, finding that at least six printer models (F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro) with accompanying software hosted on the Mega file sharing platform that included contained malware.

Procolored uses the Mega service to host the software resources for its printers, and offers a direct link to them from the support section of the official website.

The analyst found 39 files infected with:

• XRedRAT – Known malware previously analyzed by eSentire. Its capabilities include keylogging, screenshot capturing, remote shell access, and file manipulation. Hardcoded C2 URLs matched older samples.
• SnipVex – A previously undocumented clipper malware that infects .EXE files, attaches to them, and replaces clipboard BTC addresses. Detected in multiple download files. Likely infected Procolored developer systems or build machines.

Since the files were last updated in October 2024, it can be assumed that the malware was shipped with Procolored software for at least six months.

Hahn says the address SnipVex uses to offload stolen cryptocurrency has received about 9.308 BTC, which is worth nearly $1 million at today's exchange rate.

Despite Procolored’s initial denial, the software packages were taken down on May 8 and an internal investigation was launched.

When G Data asked the printer vendor for an explanation, Procolored admitted that they had uploaded the files to Mega.nz using a USB drive that could have been infected by Floxif.

“As a precaution, all software has been temporarily removed from the Procolored official website,” explained Procolored to G Data.

“We are conducting a comprehensive malware scan of every file. Only after passing stringent virus and security checks will the software be re-uploaded.”

G Data received the clean software packages and confirmed they’re safe to use.

Procolored customers are recommended to replace the old software with the new versions and to perform a system scan to remove XRedRAT and SnipVex.

Given that SnipVex performs binary alterations, a deeper cleaning of the system is recommended to ensure all files are clean.

BleepingComputer has contacted Procolored for a comment on the situation and whether they informed their customers of the risk but we have yet to receive a response.

Update 5/22 - Procolored sent BleepingComputer the below comment: 

Procolored confirms that its software is completely safe, clean, and has no connection whatsoever to any cryptocurrency-related incidents. All software packages have been thoroughly scanned and verified by third-party tools including VirusTotal and G Data, with no threats detected. Users can purchase and use Procolored products with complete confidence, as there is no risk of Bitcoin or other cryptocurrency theft linked to their software.

"To further reassure customers, Procolored has provided third-party certifications and conducted strict technical checks to prove its software is secure."

"In particular, the hash values of the key “PrintExp.exe” file were verified and confirmed to match the official values published on Procolored’s website, proving the file is authentic, untampered, and free of any viruses or malware."

"The company remains fully committed to customer care — no matter the issue, whether software or hardware, Procolored promises to resolve it to customer satisfaction, supported by their dedicated after-sales team and U.S.-based service resources."