⚠️ Months of Silent Infection: Procolored's Malware-Laced Drivers

In a shocking revelation for the cybersecurity community, it has been discovered that Procolored, a popular printer manufacturer, unknowingly distributed malware-infected printer drivers for over six months. These malicious packages were bundled with software for multiple printer models and included Remote Access Trojans (RATs) and a cryptocurrency-stealing malware called SnipVex. 🐍

🏒 Who Is Procolored?

Founded in 2018 and headquartered in Shenzhen, China, Procolored specializes in Direct-to-Film (DTF), UV, and Direct-to-Garment (DTG) printers. The company has expanded globally, with active sales in over 31 countries, including a major footprint in the United States. πŸ‡ΊπŸ‡Έ

Their reputation for cost-effective fabric printing made them a favorite among small businesses and print-on-demand services… until now. 😬

πŸ” The Discovery: Hobbyist Turns Detective πŸ”ŽπŸ§ 

The malware fiasco came to light when Serial Hobbyism, a YouTube tech creator, attempted to install drivers for his $7,000 Procolored UV printer. His security software immediately flagged the files as malicious, citing the Floxif USB worm β€” a red flag that couldn't be ignored. 🚨

Despite reaching out to Procolored, the initial response was dismissive, attributing the alerts to false positives. But the community wasn't buying it.

πŸ‘¨β€πŸ’» Deep Dive by Cyber Experts

In an in-depth analysis by Karsten Hahn, a researcher at G Data, several disturbing findings emerged:

🧫 Malware Infected Models:

  • F8
  • F13 / F13 Pro
  • V6
  • V11 Pro
  • VF13 Pro

The software was hosted on Mega.nz, directly linked from Procolored's official support page. Hahn identified 39 infected files, showing the presence of:

  • πŸ›‘ XRedRAT: Capable of keylogging, screenshot capture, remote shell, and file manipulation.
  • πŸͺ€ SnipVex: A new and previously undocumented clipper malware that attaches to .exe files and replaces copied BTC addresses with an attacker's wallet.

πŸ’° The BTC wallet associated with SnipVex has received 9.308 BTC (~$1M) β€” a testament to how stealthy and effective the malware has been.

🧼 Clean-Up and Damage Control

Following G Data's investigation and media exposure, Procolored removed the affected software from their site on May 8, 2025, and launched an internal investigation. πŸ§‘β€πŸ’ΌπŸ§Ή

The company later admitted that a compromised USB drive might have infected their development systems. They've since pledged to:

βœ… Scan and validate every software package. βœ… Re-upload only after passing strict antivirus checks. βœ… Offer new clean downloads to all customers.

G Data has since confirmed the new drivers are safe.

πŸ”§ What You Should Do (If You're a Customer or Pentester) πŸ‘¨β€πŸ’»

If you've used Procolored products recently, take immediate action:

  1. Uninstall old drivers/software from affected models.
  2. Run a full malware scan focus on RATs and clipper behavior.
  3. Check for signs of:
  • Keylogging or unauthorized remote access.
  • Changed clipboard BTC addresses.
  1. Replace with verified clean drivers from Procolored's updated links.

🧹 Due to SnipVex's binary infection behavior, a full system reinstallation may be needed for total safety.

πŸ›‘οΈ WireTor Pentest recommends treating all USB-bundled drivers as potential threats and integrating printer and peripheral software into red team exercises and recon workflows.

πŸ” Penetration Testing Lessons & Supply Chain Risks

This incident is a textbook example of a supply chain attack β€” malicious code delivered through trusted software from a hardware vendor. 🎯

Key takeaways for pentesters and red teamers:

  • βœ… Always sandbox third-party device software before installing.
  • πŸ§ͺ Include printer drivers in supply chain threat modeling.
  • πŸ“‘ Monitor for clipboard hijacking and C2 communication patterns.
  • πŸ› Track previously undetected malware like SnipVex in malware repositories.

🀐 Lack of Transparency?

As of now, Procolored hasn't publicly notified affected customers or issued a formal statement acknowledging the breach in full. Silence at this stage could pose further reputation damage and trust issues β€” especially in Western markets.

🧠 Final Thoughts

The Procolored malware scandal underlines the increasing risk of hardware supply chain threats in 2025. It's no longer just about routers or IoT even your printer could be a backdoor. πŸ–¨οΈ

Stay alert, scan everything, and never trust unsigned drivers, especially from external USBs.

βœ… For expert penetration testing and malware assessment, contact WireTor at +1–332–267–8457.