Key Takeaways:
- Procolored’s official driver downloads contained XRedRAT (a distant entry trojan) and SnipVex (a Bitcoin clipboard hijacker).
- The malware, linked from Procolored’s personal help website, swapped copied Bitcoin addresses to redirect funds to attackers, netting round 9.3 BTC.
- After public publicity, Procolored’s father or mother firm, Tiansheng, eliminated the contaminated information, blaming the breach on USB cross-contamination.
Chinese language printer producer Procolored has been discovered distributing malware via its official printer drivers, exposing customers to severe cybersecurity dangers. The malicious software program, which included a distant entry trojan and a cryptocurrency stealer, seems to have been embedded in Procolored’s companion software program for a minimum of six months.
Procolored, based mostly in Shenzhen, China, focuses on digital printing options similar to DTF, UV, and DTG printers.
Since its founding in 2018, the corporate has expanded quickly, promoting in over 30 nations, together with the U.S., the place it has an enormous buyer base.
Malware Present in Procolored Printer Software program, Impacting Customers Globally
According to local news media, the problem got here to gentle when YouTuber Cameron Coward, referred to as Serial Hobbyism, detected malware on his system after putting in drivers for a $7,000 Procolored UV printer. His antivirus flagged a worm referred to as Floxif.
Coward initially contacted the corporate, which denied any wrongdoing and claimed the alert was a false optimistic. “If I attempt to obtain the information from their web site or unzip the information on the USB drive they gave me, my laptop instantly quarantines them,” Coward stated.
Looking for readability, Coward turned to Reddit for help. That led to a deeper investigation by Karsten Hahn, a researcher at cybersecurity agency G Information.
Hahn confirmed the presence of two items of malware: XRedRAT, a distant entry trojan able to keystroke logging and distant management, and SnipVex, a beforehand unknown clipboard hijacker focusing on Bitcoin addresses.
The malware was traced to a minimum of six Procolored printer fashions, with contaminated information hosted on Mega, linked immediately from Procolored’s official help website. A complete of 39 compromised information have been discovered.
The malware changed copied Bitcoin pockets addresses with ones managed by attackers, stealing funds from unsuspecting customers.
A complete of 9.3 BTC price over $953,000 has been stolen, in keeping with the report. Crypto monitoring and compliance agency Gradual Mist described how the malware operates in a Might 19 X post:
“The official driver supplied by this printer carries a backdoor program. It’s going to hijack the pockets tackle within the person’s clipboard and substitute it with the attacker’s tackle.“
The official driver supplied by this printer carries a backdoor program. It’s going to hijack the pockets tackle within the person's clipboard and substitute it with the attacker's tackle: 1BQZKqdp2CV3QV5nUEsqSg1ygegLmqRygj
— MistTrack
The official driver supplied by this printer carries a backdoor program. It’s going to hijack the pockets tackle within the person's clipboard and substitute it with the attacker's tackle: 1BQZKqdp2CV3QV5nUEsqSg1ygegLmqRygj
In line with G Information contacted Tiansheng, the father or mother firm of Procolored. The agency responded that it had eliminated the affected drivers and rescanned all information as of Might 8, 2025.
The corporate claimed the an infection probably occurred throughout USB transfers between programs earlier than the information have been uploaded on-line.
Customers at the moment are urged to scan their programs totally. Consultants advocate a full system reinstall for anybody who has used the contaminated drivers. New, clear driver information are reportedly obtainable however should be requested immediately from Tiansheng’s technical help.
Chinese language Marketplaces and US Fronts Gasoline Southeast Asian Fraud Rings
The invention of Bitcoin-stealing malware in Procolored’s official printer drivers comes amid a wider wave of cybercrime infrastructure originating in China and spreading throughout Southeast Asia.
On Might 18, blockchain agency Elliptic linked a Colorado-incorporated entity to a Chinese language-language Telegram market referred to as Xinbi Assure, a platform used to facilitate large-scale crypto scams.
Xinbi has processed over $8.4 billion in stablecoin transactions, primarily USDT, since its inception. The platform presents illicit companies starting from cash laundering and faux IDs to tech {hardware} and stolen private information.
It operates on a “assure” mannequin, requiring vendor deposits to keep up belief amongst criminals.
Xinbi was registered within the U.S. in 2022 below the title Xinbi Co. Ltd. The corporate was flagged as delinquent in early 2025 for failing to file studies. Elliptic suggests the group’s crypto exercise can also be tied to North Korean hackers.
Xinbi follows Huione Assure, one other Chinese language market exposed in 2024 for facilitating $98 billion in transactions.
These networks reveal a rising underground economic system powered by stablecoins and an alarming rise in cyber fraud.
The submit Procolored Printer Drivers Slip Bitcoin-Stealing Trojan, Draining $950K from Users appeared first on Cryptonews.
Add comment