Procolored, a Chinese printer maker, unintentionally disseminated advanced Windows malware through its official printer driver downloads, affecting models such as the F8, F13, V6, V11 Pro, and VF13 Pro.
The incident gained attention after technology YouTuber Cameron Coward, of Serial Hobbyism, detected suspicious activity while attempting to install the company’s $6,000 UV printer driver.
Instead of functioning normally, the install media triggered antivirus alerts for a USB worm and the Floxif file infector, raising alarms regarding the integrity of the software supply chain.
Technical Breakdown
Initial assurances from Procolored dismissed the flagged files as false positives.
However, when further expert analysis was sought, malware researchers discovered that official printer software hosted on mega.nz and linked directly from Procolored’s support website contained two distinct malware families.
The XRed backdoor (Win32.Backdoor.XRedRAT.A) and a previously undocumented .NET-based clipbanker, dubbed SnipVex (MSIL.Trojan-Stealer.CoinStealer.H), designed to exfiltrate cryptocurrency.
The XRed backdoor, previously analyzed by security firm eSentire in 2024, is a Delphi-compiled remote access Trojan (RAT) with functionality for keylogging, command execution, file theft, remote shell access, and screenshot capture.
The malware samples reviewed showed command-and-control (C2) URLs hardcoded into their binaries, although these endpoints had been offline since early 2024, limiting active external control.
Analysis revealed that the malware not only executed its own code but also dropped a legitimate copy of the intended printer utility, likely to evade suspicion.
The SnipVex malware, a .NET clipbanker and virus, targets cryptocurrency transactions by monitoring the Windows clipboard for Bitcoin addresses and swapping them with those of the attacker.
This malware is also file-infecting: it prepends its code to benign executables, with unique infection markers to prevent redundant infections, and deliberately avoids Windows system and temporary folder targets.
Its widespread presence suggests it propagated internally on Procolored’s development systems, likely due to a lack of effective endpoint security controls during the release build process.
Impact
Security scans identified at least 39 unique malware-infected files among Procolored’s driver archives, impacting multiple printer models.
The financial impact for victims is measurable: over $100,000 in Bitcoin was laundered through wallets linked to SnipVex, likely siphoned from hijacked cryptocurrency transactions.
While customer support initially attributed the malware to false positives or issues with non-English operating systems, Procolored ultimately pulled the infected driver packages from its website, citing an internal investigation.
The company committed to scanning all software before any future release and distributed clean versions directly to affected customers.
Forensics suggests that the infection vector was likely USB-based, further underscoring the risks of removable media in software development workflows.
Users who downloaded Procolored drivers between October 2024 and May 2025 are urged to run comprehensive malware scans and verify that no antivirus exclusions remain in place for any printer-related files.
Due to the destructive capabilities of file-infecting viruses like SnipVex, experts recommend a full operating system reinstall if infection is detected.
As the C2 servers for XRed are defunct, remote access risks are minimized, but residual damage from SnipVex and similar infector strains requires urgent remediation.
The incident highlights the ongoing threat posed by compromised software supply chains and the need for robust endpoint protection and release hygiene, especially for vendors distributing device drivers and firmware to end users.
Indicators of Compromise (IoCs)
| Indicator Type | Value | Description |
|---|---|---|
| File Hash (SHA256) | 531d08606455898408672d88513b8a1ac284fdf1fe011019770801b7b46d5434 | XRed backdoor main sample (PrintExp.exe) |
| File Hash (SHA256) | 39df537aaefb0aa31019d053a61fabf93ba5f8f3934ad0d543cde6db1e8b35d1 | SnipVex (clipbanker, file infector) |
| Bitcoin Wallet | 1BQZKqdp2CV3QV5nUEsqSg1ygegLmqRygj | SnipVex BTC receiver address |
| Registry Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ScdBcd | SnipVex persistence |
| Registry Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ClpBtcn | SnipVex persistence |
| Malicious Paths | Dibifu_9\vshost32.exe, Dibifu_9\IconExtractor.dll, Zgokr00.exe | SnipVex-infected executables |
| Malicious Download URLs | Multiple mega.nz folders (see above) | Infected driver distribution mirrors |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
