Your Fancy New Printer Just Joined a Botnet: How Procolored Shipped Malware for Six Months

4 Jun

Your shiny new £6,000 professional UV printer just downloaded a Bitcoin stealer onto your network. For six bloody months, Chinese manufacturer Procolored was shipping malware-infected drivers to customers worldwide, turning legitimate business equipment into criminal infrastructure. The kicker? When caught red-handed, they claimed it was all just "false positives."

This isn't some elaborate state-sponsored supply chain attack. This is worse: it's a company so incompetent at basic cybersecurity that they accidentally became a malware distribution network, and nearly a million dollars in Bitcoin went missing in the process.

When Your Printer Becomes a Crime Scene

Cameron Coward knows his way around tech. The YouTuber behind Serial Hobbyism has been reviewing maker equipment for years, so when Procolored sent him their V11 Pro UV printer for review, he expected the usual workflow: unbox, install software, test, review.

Instead, Windows Defender started screaming.

The moment Coward plugged in the supplied USB drive, his antivirus flagged the Floxif worm—one of the nastiest file infectors you can encounter. This malware doesn't just steal data; it corrupts executable files beyond repair and spreads through USB drives like digital gangrene.

But here's where it gets properly mental: Coward contacted Procolored support, and they told him to ignore the warnings. "False positive," they said. "Your antivirus is wrong."

Four separate support requests. Every single time, Procolored agents asked to remotely connect to his computer to "help" with the software installation. Think about that for a moment. A company shipping malware-infected drivers was asking for remote access to customer systems.

The Rabbit Hole Gets Deeper

Unsatisfied with Procolored's dismissive response, Coward turned to Reddit for expert analysis. That's when Karsten Hahn, Principal Malware Researcher at G Data CyberDefense, stepped in to investigate.

What Hahn found was a cybersecurity horror show that would make your worst MSP look competent:

39 infected files across six different printer models
Two distinct malware families: XRedRAT backdoor and SnipVex Bitcoin stealer
Six months of distribution through official channels
Nearly $1 million in stolen Bitcoin traced to attacker wallets

The malware wasn't sophisticated. SnipVex, the clipboard hijacker, was literally eight lines of .NET code designed to replace copied Bitcoin addresses with ones controlled by criminals. But simplicity doesn't matter when it's distributed through "legitimate" vendor channels.

Supply Chain Security Theatre at Its Finest

Here's what really happened, according to Procolored's eventual admission: they used infected USB drives to transfer software between systems before uploading to their Mega.nz distribution platform. No antivirus scanning. No integrity checking. No security processes whatsoever.

For a company selling equipment to professional workshops and small businesses—customers who trusted them implicitly—this represents a catastrophic failure of basic due diligence. These aren't teenagers downloading cracked software; these are legitimate businesses buying expensive professional equipment.

The infected software was hosted on Mega.nz, linked directly from Procolored's official support pages. Customers downloading "legitimate" drivers were getting:

XRedRAT: A Delphi-based backdoor capable of keylogging, screenshots, file manipulation, and remote shell access
SnipVex: A file-infecting virus that replaced Bitcoin addresses in clipboards while corrupting system files
Complete system compromise disguised as printer drivers

The Cover-Up Unravels

Even when confronted with irrefutable evidence, Procolored initially doubled down on denial. They claimed the malware alerts were caused by their Chinese software being "misinterpreted" by international operating systems.

Only after G Data published detailed technical analysis showing 39 compromised files did Procolored finally remove the infected downloads on May 8, 2025. By then, the damage was done. The Bitcoin wallet used by SnipVex had collected 9.3 BTC—worth nearly $950,000 at current exchange rates.

The Real Cost of Trust

This isn't just about one dodgy printer company. This is about the fundamental assumption that "legitimate" hardware vendors can be trusted. Every day, small businesses across the UK are installing driver software from USB sticks without question, creating exceptions in their antivirus software because "it's from the manufacturer."

Procolored's customers did exactly what they were supposed to do: they bought professional equipment from an established vendor. Many probably dismissed antivirus warnings, assuming the software was safe because it came from the company.

How many other hardware manufacturers are shipping infected software right now? How many SMBs have compromised networks because they trusted a USB stick that came in an official box?

What This Means for Your Business

If you're running a small business and this story doesn't terrify you, you're not paying attention. Every piece of equipment you buy, every driver you install, every "official" software package could be a Trojan horse.

Immediate actions:

Scan every system that's had Procolored software installed since October 2024
Check antivirus exclusions for any printer-related software
Question everything your hardware vendors tell you about "false positives"
Implement air-gapped testing for all vendor-supplied software

Long-term strategy:

Never trust vendor USB drives without independent verification
Download drivers directly from vendor websites, not third-party platforms
Maintain offline backups that can't be infected by file-corrupting malware
Treat all vendor-supplied software as potentially hostile until proven otherwise

The Bigger Picture

Procolored's response to this crisis tells you everything you need to know about vendor accountability. Even after being caught distributing malware for six months, their official statement to BleepingComputer still claimed their software was "completely safe" and had "no connection whatsoever to any cryptocurrency-related incidents."

This is what vendor gaslighting looks like in 2025: deny until the evidence is overwhelming, then claim it was an accident while simultaneously asserting everything is fine.

Meanwhile, G Data's Karsten Hahn recommended that infected customers should "reformat all drives and reinstall the operating system" due to the file-corrupting nature of the malware. That's not a minor inconvenience—that's a complete business disruption.

Your Hardware Vendor Probably Isn't Your Friend

The Procolored incident exposes the dangerous myth that hardware manufacturers have any meaningful investment in your cybersecurity. They're selling you boxes and plastic, not security guarantees.

When Coward's antivirus flagged their software, Procolored's instinct wasn't to investigate—it was to dismiss and deflect. When researchers provided detailed technical evidence, their response was denial. Only when the story hit international headlines did they finally acknowledge the problem.

This is your wake-up call: stop treating hardware vendors like trusted partners. They're suppliers, nothing more. Every USB stick, every download link, every "official" software package should be treated with the same suspicion you'd apply to random email attachments.

Because in the supply chain security landscape of 2025, there's no meaningful difference between the two.

Source	Article
BleepingComputer	Printer maker Procolored offered malware-laced drivers for months
G Data CyberDefense	Procolored: Printer company serves malware für six months
SecurityWeek	Printer Company Procolored Served Infected Software for Months
Hackster.io	The Maker's Toolbox: Procolored V11 Pro DTO UV Printer Review
TechRadar	Procolored printers shipped out with malware-ridden drivers for half a year
Cybernews	New printer come with Bitcoin-stealing malware
TechSpot	Printer manufacturer infected customer PCs for months
Neowin	This printer company served you malware for months and dismissed it as false positives
Cryptonews	Procolored Drivers Hid Trojan That Stole $950K in Bitcoin
Security Online	SnipVex and XRed: Malware Discovered in Procolored Printer Software

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com