Do Son 
For at least six months, official software for Procolored printers had been silently distributing malware — including a remote access trojan and a cryptocurrency clipper. Installing drivers from official sources could have led to a complete system compromise and the theft of funds from users’ crypto wallets.
Procolored, a company specializing in direct-to-film (DTF), UV DTF, DTG, and UV printing solutions, was founded in 2018 and swiftly entered the international market, delivering its products to over 31 countries. The brand’s printers have gained popularity among workshop owners and small businesses for their affordability and print quality. However, starting in October 2024, users may have unknowingly fallen victim to malware infections by installing software directly from the manufacturer’s website or from USB drives bundled with the devices.
The issue was first brought to light by YouTube blogger Cameron Coward. While installing drivers for his new $7,000 Procolored printer, his antivirus flagged Floxif — a notorious USB worm. According to Coward, even attempting to manually extract the files from the USB drive or re-download them from the official site triggered instant quarantine by his security software. When he reached out to Procolored support, he was told the detections were false positives.
Unsatisfied with the explanation, Coward sought assistance from the Reddit community, where a cybersecurity analyst from G Data responded. The subsequent analysis revealed that multiple printer models were compromised — not just isolated cases. Affected devices included the F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro. Software for these models had been distributed via Mega.nz, with download links provided on Procolored’s official support page.
In total, 39 malicious files were identified. Analysts discovered two distinct strains of malware. The first was XRedRAT, a remote access trojan previously documented by eSentire. Capable of keylogging, screen capture, file manipulation, and remote system access, it matched known samples through identical C2 (command-and-control) server addresses embedded in its configuration.
The second threat was a newly discovered, undocumented clipper dubbed SnipVex. This malware infects executable (.EXE) files and covertly replaces copied Bitcoin wallet addresses in the clipboard. Any BTC address copied by the user — for example, for a transaction — is silently substituted with the attacker’s wallet address. According to G Data’s analysis, the wallet used by SnipVex had already received 9,308 BTC — nearly a million dollars at current market value. The clipper appears to have been introduced unintentionally, likely as a result of infected developer machines or a compromised automated build system.
The malicious files were removed from Procolored’s website on May 8, 2025, following a formal request from G Data. Initially, the company denied the presence of any malware, but later acknowledged that infections could have occurred via USB devices contaminated with Floxif. An internal investigation has been launched, and Procolored has pledged to conduct a comprehensive audit of all software packages. In an official statement to G Data, the company confirmed it had temporarily disabled all downloads from its site and would only reupload files that passed enhanced antivirus screening.
Following their analysis, G Data verified that the updated versions of the software were free from malicious code. Procolored customers are strongly advised to immediately delete any older driver versions and replace them with the sanitized releases. A thorough system scan using up-to-date antivirus tools is also recommended. In cases involving SnipVex infections, a deeper system cleanse may be required, as the virus embeds itself within other files and can remain silently active even after standard removal procedures.
Donate