Procolored, a printer manufacturer based in Shenzhen, China, unknowingly distributed software infected with malware for about six months, ending in May 2025. The infected drivers affected six printer models: F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro.
The issue was uncovered when YouTuber Cameron Coward, known for his channel Serial Hobbyism, tried to review a $6,000 UV printer from Procolored. Upon installing the software from the USB drive included with the printer, his antivirus alerted him to infections. Initially thought to be false alarms, the warnings were later confirmed as real threats.
Security researchers from G DATA analyzed the software packages, which were available on Procolored’s website via mega.nz links. They found two types of malware embedded in the drivers: a backdoor called Win32.Backdoor.XRedRAT.A and a cryptocurrency-stealing virus known as MSIL.Trojan-Stealer.CoinStealer.H, or SnipVex.
In total, 39 infected files with 20 unique file hashes were identified across the affected software. The XRed backdoor is not a new threat; it was first documented in February 2024 and uses the same command-and-control servers, which have been offline since then. This limited the backdoor’s ability to communicate remotely.
However, the SnipVex virus remains a significant threat. It infects executable files by prepending itself to them, avoiding certain system and temporary folders to prevent repeated infections. SnipVex also monitors all logical drives for changes to “.exe” files to spread further and ensures persistence by adding entries to the Windows Registry, so it runs after system restarts.
SnipVex also targets cryptocurrency users by replacing wallet addresses copied to the clipboard with an attacker-controlled Bitcoin address. Blockchain analysis shows the attacker’s Bitcoin wallet received about 9.3 BTC, worth roughly $100,000, likely from hijacked transactions.
Procolored initially denied the presence of malware, suggesting antivirus programs might have flagged their software incorrectly. Later, the company removed all infected software from its website and started an internal investigation. They acknowledged that the malware might have been introduced during the transfer of software via USB drives.
Procolored has committed to thoroughly scanning all software files for malware before re-uploading them. They have also provided new, clean software packages to customers and promised to improve their security measures to prevent future incidents.
Experts recommend that users who installed the infected drivers scan their systems carefully and consider reinstalling their operating systems to remove any malware completely. Given the age of the malware, up-to-date antivirus solutions should detect it, but the file-infecting nature of SnipVex means infected files might require manual repair or reinstallation.
This incident highlights the risks of supply chain infections, where malware can enter trusted software through compromised development or distribution systems. It serves as a reminder for companies to enforce strict security protocols during software creation and delivery.
