This $7,000 Printer Spread Malware Through Infected Drivers For 6 Months

In a disturbing revelation that highlights the evolving nature of cyber threats, a YouTuber uncovered a significant security lapse where a printer manufacturer inadvertently distributed malware-laced software to its customers for at least six months. The drivers, which were hosted on popular file hosting site Mega.nz, were flagged for containing remote access trojan and cryptocurrency stealing malware. Despite initial pushback, the printer company in question, Procolored, has since taken down the defective drivers and offered clean ones to users.

Procolored specializes in producing fabric direct-to-film (DTF), UV DTF, EV, and direct-to-garment (DTG) printers. Printers from the Shenzhen-based company range anywhere from $1,900 to more than $12,000, so customers expect the best. Or at least, that's what they've been led to believe. It wasn't until YouTuber Cameron Coward (of Serial Hobbyism) decided to review one of Procolored's $7,000 V11 Pro UV printers that a serious problem arose.

The saga began when Coward encountered alarming alerts from his antivirus software after plugging in the provided USB drive containing the printer's software. He reached out to the Chinese company about the issue and Procolored initially suggested that his software was flagging false positives. Coward then reached out to the computer virus subreddit for advice. The discussion ultimately got the attention (and investigative help) of Karsten Hahn, a G Data researcher.

Kahn's analysis revealed that official software packages for at least six Procolored printer models, downloaded directly from the company's website (via Mega.nz links), were infected with two distinct malware strains: Win32.Backdoor.XRedRAT.A and MSIL.Trojan-Stealer.CoinStealer.H (dubbed "SnipVex"). The XRedRAT backdoor provided capabilities like keylogging and remote access, while SnipVex, a sophisticated file infector, stealthily replaced cryptocurrency wallet addresses in users' clipboards, to date rerouting an estimated 9.3 BTC (nearly $1 million) to the attackers.

While the XRedRAT's command-and-control servers had been offline since early 2024, limiting its active remote exploitation, SnipVex's file-infecting capabilities continued to pose a significant threat. The most plausible explanation for the widespread infection, according to Kahn, points to a lack of proper antivirus scanning on the systems used by Procolored to compile and distribute its software, likely via infected USB drives used in the process.

Procolored has since removed all compromised software, pledging to conduct comprehensive malware scans, and committing to stringent security checks before re-uploading any files. It has also provided clean software packages and advised affected customers to reinstall their operating systems for a complete cleanse.

Nonetheless, this incident emphasizes the urgent need for consumers and businesses alike to exercise extreme caution when downloading software, even from official vendor websites, and to prioritize robust endpoint security measures, including regular system scans and cautious handling of physical media.