Procolored Distributes Compromised Drivers Containing Malware for Extended Period

For a duration of at least six months, the official software distributed with Procolored printers has been identified to contain malware, including a remote access trojan (RAT) and a cryptocurrency stealing application.

Procolored, a manufacturer of digital printing solutions—including Direct-to-Film (DTF), UV DTF, UV, and Direct-to-Garment (DTG) printers—has rapidly expanded since its inception in 2018, offering cost-effective fabric printing solutions in over 31 countries, with notable operations in the United States.

The discovery of the malware was made by Cameron Coward, a content creator known as Serial Hobbyism. During the installation of software and drivers for a $7,000 Procolored UV printer, he encountered alerts from his security solution indicating the presence of the Floxif USB worm on his system.

An investigation by G Data, a cybersecurity firm, corroborated that the malware was embedded in Procolored’s official software packages for a minimum of six months.

Uncovering Remote Access Trojans and Cryptocurrency Stealers

Upon receiving alerts regarding malware on his machine, Coward reached out to Procolored for clarification. The company refuted his claims, suggesting that the security alerts were false positives. Coward reported that attempting to download or extract files from Procolored’s official website led to quarantines initiated by his computer’s security system.

Seeking further assistance, Coward consulted Reddit for help with malware analysis prior to publishing his review of the Procolored V11 Pro product. G Data researcher Karsten Hahn conducted a thorough investigation, uncovering that at least six printer models (F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro) harbored malware within software hosted on Mega, a file-sharing platform.

Procolored’s support section directly linked to files hosted on Mega. Hahn identified 39 malware-infected files associated with the following threats:

– XRedRAT: A known malware variant with capabilities such as keylogging, screenshot capturing, remote shell access, and file manipulation. Its hardcoded command and control (C2) URLs matched previous samples.
– SnipVex: An undocumented clipper malware that infects executable files, replacing Bitcoin addresses in the clipboard. Its presence was detected in several download files, likely arising from infected Procolored developer systems or build machines.

The malware was last updated in October 2024, suggesting that it had been included in Procolored’s software for at least the last six months.

Hahn reported that the address associated with SnipVex to exfiltrate stolen cryptocurrency had received approximately 9.308 BTC, equivalent to nearly $1 million at current exchange rates.

Following initial denials from Procolored, the company withdrew the compromised software packages on May 8, initiating an internal investigation.

In response to inquiries from G Data regarding the incident, Procolored acknowledged that the files uploaded to Mega could have originated from an infected USB drive used in the transfer process. They stated: “As a precaution, all software has been temporarily removed from the Procolored official website. We are conducting a comprehensive malware scan of every file. Only after passing stringent virus and security checks will the software be re-uploaded.”

G Data subsequently received the cleaned software packages and confirmed their safety for use, advising Procolored customers to replace outdated software with the new versions and to perform system scans to eradicate XRedRAT and SnipVex. Due to SnipVex’s capability for binary alterations, a thorough cleansing of affected systems was recommended to ensure all traces of the malware were removed.

Efforts to obtain a comment from Procolored regarding customer notifications of the incident remain unanswered.