When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

This printer company served you malware for months and dismissed it as false positives

Skull and bones image on Procolored printer

If you own a Procolored inkjet printer, particularly one of the UV models, you might want to check your system for malware, especially if you downloaded the companion software within the past six months, since Procolored was recently found to be distributing malicious software.

The first alarm came from Cameron Coward, the creator behind the YouTube channel "Serial Hobbyism." Known for his DIY electronics and tech reviews, Coward was in the middle of reviewing a $6,000 Procolored UV printer and attempting to install its companion software from the included USB drive when his antivirus flagged malware. The threats identified were a USB-spreading worm and a Floxif file infector. When Coward reported the issue to Procolored, the company initially dismissed it as a case of false positives.

Still unconvinced by Procolored's assurances, Coward turned to Reddit in search of expert insight. That post caught the attention of cybersecurity firm G Data, which decided to investigate further. One of their analysts examined Procolored's publicly available software downloads, hosted on mega.nz, and mostly last updated around October 2023.

VF 11 Pro meganz download
VF 11 Pro meganz download | Image via G Data

The investigation confirmed the presence of malware not just on Coward's USB drive but also within official downloads for several printer models. G Data identified two main threats: Win32.Backdoor.XRedRAT.A, a Delphi-based backdoor, and MSIL.Trojan-Stealer.CoinStealer.H, a cryptocurrency stealer written in .NET. Although Floxif didn't appear in the website downloads G Data reviewed, its presence on Coward's USB points to the possibility of a more compromised environment at some earlier stage.

According to G Data, citing an earlier analysis by eSentire, the XRedRAT backdoor is an older strain of malware, and its command and control server URLs were reportedly already offline when eSentire documented them in February 2024. This particular instance also seemed to have been inactive since at least that time. The coin stealer, named "SnipVex" by G Data, is a particularly troublesome threat. It operates as a clipbanker, swapping copied cryptocurrency addresses with one controlled by the attacker, and also functions as a file infector by attaching itself to executable files. Here's the code responsible for replacing Bitcoin addresses in the clipboard with the attacker's:

Payload of SnipVex consists only of eight lines
Image via G Data

G Data's research showed that the Bitcoin address linked to SnipVex had received about 9.3 BTC, roughly $100,000, before activity stopped on March 3, 2024. The widespread infection found across Procolored's downloadable files means it's plausible that the malware spread through a developer's workstation or the company's build servers.

After G Data presented its detailed findings, Procolored offered a more substantial response than its initial denial to Coward. The company stated:

The software hosted on our website was initially transferred via USB drives. It is possible that a virus was introduced during this process. Additionally, as the PrintEXP software is in Chinese by default, some international operating systems may incorrectly flag or misinterpret it as malicious, especially if the system does not handle non-English programs well.

Procolored also mentioned that it had temporarily removed all software from its website around May 8th, 2024, for comprehensive scanning and that new, clean software packages were being provided, a claim G Data confirmed by checking the new files.

For customers who might have been affected, G Data recommends checking for any antivirus exclusions made for the printer software, as official vendor software is often trusted implicitly. Because file infectors like Floxif and SnipVex can extensively damage system files, the cybersecurity firm advises that the safest course of action is often a full reformat of all drives and a fresh operating system installation.

Although the XRedRAT backdoor was likely rendered ineffective by its offline command and control server, SnipVex remained a serious concern thanks to its ability to infect files, even though it had stopped siphoning Bitcoin. G Data found no evidence that Procolored had intentionally distributed the malware, and the company has since pledged to improve its internal processes. If you're curious, Coward's review of the Procolored UV printer is available on Hackster.io.

Report a problem with article
Garmin Forerunner 265
Next Article

Limited time deal: The Garmin Forerunner 265 is back to its lowest price yet

JetBrains Rider 20252 EAP Banner
Previous Article

Good news for .NET developers: Rider 2025.2 Early Access Program is now open

Join the conversation!

Login or Sign Up to read and post a comment.

1 Comment - Add comment