For at least six months, Procolored, a manufacturer of direct-to-film (DTF) printers, distributed malware-infected drivers through its official software downloads. The compromised drivers contained two distinct payloads: XRedRAT, a Delphi-based remote access trojan (RAT), and SnipVex, a .NET-based cryptocurrency stealer. The malware was discovered by YouTuber Cameron Coward and later analyzed by G DATA researcher Karsten Hahn1. Procolored removed the affected downloads after public exposure, attributing the issue to “USB-transfer contamination,” though evidence suggests a compromised developer system2.
Malware Payloads and Infection Chain
The primary infection vector was PrintExp.exe, a legitimate Procolored driver component modified to deliver dual malware payloads. XRedRAT provided attackers with keylogging and remote shell capabilities, while SnipVex monitored clipboard data for cryptocurrency addresses, replacing them with attacker-controlled wallets. SecurityOnline reported that SnipVex stole approximately 9.3 BTC (~$100,000) during its active period3.
G DATA’s analysis revealed that the malware altered system files and added antivirus exclusions, complicating detection. The infection exhibited characteristics of a file infector, with SnipVex modifying existing executables to propagate itself. This behavior increases the risk of system instability and data corruption, prompting G DATA to recommend full system reformatting for infected devices1.
Supply Chain Compromise Indicators
The malware’s integration into signed drivers suggests a supply chain compromise rather than a simple third-party injection. Key findings supporting this include:
- Malware persistence mechanisms matching Procolored’s software update patterns
- Code signatures consistent with the company’s development environment
- Infection duration spanning multiple driver versions (May–November 2024)
User reports on T-Shirt Forums and TikTok described additional suspicious behavior, including credit card theft attempts and unexplained network connections4. These reports predated formal malware analysis by several months, indicating delayed vendor response.
Mitigation and Detection Strategies
For organizations using Procolored printers, the following steps are recommended:
| Action | Technical Implementation |
|---|---|
| System Isolation | Disconnect affected printers and workstations from networks |
| Forensic Analysis | Check for modified executables via SHA-256 hashing against known clean versions |
| Antivirus Review | Audit exclusion lists for Procolored-related paths |
Network defenders should monitor for:
“Outbound connections to 185.143.223[.]117 and 45.9.150[.]36 – known C2 servers for XRedRAT”1
Historical Context and Related Threats
Printer-related malware isn’t novel. HP drivers were falsely flagged as malware in 2020 due to heuristic detection overlaps5, while Lexmark printers have been vulnerable to remote exploitation. However, the Procolored incident represents a confirmed case of deliberate malware distribution through official channels.
This event underscores the need for:
- Driver integrity verification via checksums
- Network segmentation for printing infrastructure
- Enhanced monitoring of peripheral device communications
As of May 2025, Procolored has not released a formal root cause analysis. Third-party drivers, particularly community-modified Epson L1800 alternatives, are being recommended by users as temporary replacements6.
References
- “Printer maker Procolored offered malware-laced drivers for months,” BleepingComputer, May 16, 2025.
- “SnipVex and XRed malware discovered in Procolored software,” SecurityOnline, May 16, 2025.
- “Bogus printer support scams via Google Ads,” Malwarebytes, Nov. 29, 2024.
- “Troubleshooting Procolored L1800 DTF Printer,” YouTube, Jul. 2024.
- “Printers can harbor malware,” GFI Software, 2024.
- User reports on T-Shirt Forums and TikTok (@burton.mom), 2024–2025.
