Key Takeaways:
Procolored’s official driver downloads contained XRedRAT (a remote access trojan) and SnipVex (a Bitcoin clipboard hijacker). The malware, linked from Procolored’s own support site, swapped copied Bitcoin addresses to redirect funds to attackers, netting around 9.3 BTC. After public exposure, Procolored’s parent company, Tiansheng, removed the infected files, blaming the breach on USB cross-contamination.
The Chinese printer manufacturer Procolored has come under scrutiny for distributing malware via its official printer drivers, leaving users vulnerable to significant cybersecurity threats. The malicious software, which consists of a remote access trojan alongside a cryptocurrency stealer, has reportedly been embedded in Procolored’s software for a duration of at least six months.
Founded in 2018 and based in Shenzhen, China, Procolored specializes in digital printing technology, offering products such as DTF, UV, and DTG printers. The company has seen rapid expansion since its inception, with sales reaching over 30 countries, including a notable presence in the U.S. market.
Malware Found in Procolored Printer Software, Impacting Users Globally
The alarming discovery was first flagged by YouTuber Cameron Coward, an individual known as Serial Hobbyism, who experienced malware on his system following the installation of drivers for a $7,000 Procolored UV printer. His antivirus software detected a worm referred to as Floxif.
In initial communications with Procolored, Coward was met with a denial of wrongdoing, as the company suggested the alert was a false positive. “If I try to download the files from their website or unzip the files on the USB drive they gave me, my computer immediately quarantines them,” Coward noted.
In pursuit of more information, Coward sought assistance on Reddit, which led to a thorough investigation conducted by Karsten Hahn, a researcher from the cybersecurity firm G Data.
Hahn confirmed the presence of two distinct malware components: XRedRAT, a remote access trojan capable of keystroke logging and remote control, and SnipVex, a clipboard hijacker specifically targeting Bitcoin addresses.
The malware was found linked to at least six different Procolored printer models, with compromised files hosted on Mega and directly accessible via Procolored’s official support site. A total of 39 infected files were identified.
This malware specifically hijacked Bitcoin wallet addresses copied to users’ clipboards, replacing them with the attackers’ addresses, leading to significant financial losses. In total, approximately 9.3 BTC valued at over $953,000 was reported stolen. Crypto tracking and compliance firm Slow Mist elaborated on the malware’s functionality in a post, stating:
“The official driver provided by this printer carries a backdoor program. It will hijack the wallet address in the user’s clipboard and replace it with the attacker’s address.”
The official driver provided by this printer carries a backdoor program. It will hijack the wallet address in the user’s clipboard and replace it with the attacker’s address: 1BQZKqdp2CV3QV5nUEsqSg1ygegLmqRygj
According to @MistTrack_io, the attacker has stolen 9.3086… https://t.co/DHCkEpHhuH pic.twitter.com/W1AnUpswLU
— MistTrack (@MistTrack_io) May 19, 2025
Following the report, G Data contacted Tiansheng, Procolored’s parent company. The company disclosed that it had taken steps to remove the compromised drivers and had rescanned all relevant files as of May 8, 2025.
Tiansheng attributed the malware’s infiltration to potential USB cross-contamination between systems prior to the affected files being uploaded online.
In light of these events, users are advised to conduct thorough scans of their systems. Experts recommend complete system reinstalls for anyone who has utilized the compromised drivers. New, sanitized driver files can reportedly be obtained by directly reaching out to Tiansheng’s technical support.
Chinese Marketplaces and US Fronts Fuel Southeast Asian Fraud Rings
The revelation of Bitcoin-stealing malware embedded in Procolored’s official printer drivers coincides with a broader surge of cybercrime infrastructure emanating from China and spreading throughout Southeast Asia.
On May 18, blockchain analytics firm Elliptic connected a company registered in Colorado to a Chinese-language Telegram marketplace known as Xinbi Guarantee, which facilitates large-scale crypto scams. Xinbi has reportedly managed over $8.4 billion in stablecoin transactions since its establishment, primarily involving USDT.
The marketplace offers a variety of illicit services, including money laundering, counterfeit identification documents, technological hardware, and stolen personal data. Operating on a “guarantee” model, it demands vendor deposits to maintain trust among criminal users.
XInbi was registered in the U.S. in 2022 under the name Xinbi Co. Ltd. However, the company was flagged as delinquent in early 2025 for failing to meet reporting requirements. Elliptic suggests that there may be connections between this group’s cryptocurrency activities and North Korean hackers.
Xinbi follows in the footsteps of Huione Guarantee, another Chinese marketplace exposed in 2024 that was found to have facilitated transactions amounting to $98 billion.
These networks illustrate a concerning rise in the underground economy fueled by stablecoins and a significant increase in cyber fraud risks.
The post Procolored Printer Drivers Slip Bitcoin-Stealing Trojan, Draining $950K from Users appeared first on Finance Newso.
