Procolored printer software has been malware-laden for months

The official printer software provided by Procolored allegedly contained harmful features, such as a remote access trojan (RAT) and a cryptocurrency thief. Based on reports, these malicious payloads have been inside the software for at least half a year.

The issue came to light when a tech reviewer and YouTube content creator observed unusual system behaviour after installing drivers for a $7,000 Procolored UV printer.

Antivirus software on the reviewer’s system detected the Floxif USB worm, prompting a closer examination of the files provided by the company.

Although Procolored initially denied that its software contained malware, suggesting that the security alerts were false positives, an independent analysis conducted by a cybersecurity firm confirmed that multiple driver packages were indeed infected.

The malware was found in driver packages hosted on the Mega file-sharing platform, which the provider links to directly from its official website.

The compromised software affected at least six printer models: F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro. In total, researchers identified 39 infected files.

 

A couple of confirmed malware instances are present on Procolored.

 

According to investigations, one confirmed malware strain in Procolored is XRedRAT. This payload is a well-documented remote access trojan with functionalities such as keylogging, screenshot capture, remote shell access, and file manipulation.

The malware’s hardcoded C2 infrastructure matched previously identified samples.

Also present was a previously undocumented clipper malware dubbed SnipVex. This malware was designed to infect executable (.EXE) files and alter clipboard contents, specifically targeting Bitcoin addresses by replacing them with those controlled by attackers.

Researchers suspect that SnipVex likely infiltrated Procolored’s developer or build environments. The malware-laden files were last updated in October 2024, indicating that compromised drivers were likely in circulation for at least six months.

Analysts tracking the cryptocurrency wallet associated with SnipVex found that it had received approximately 9.3 BTC, valued at nearly $1 million at current exchange rates.

Following the discovery, Procolored removed the affected software from its website on May 8, 2025, and launched an internal investigation.

Furthermore, the company later admitted that the infected files had been uploaded to Mega using a USB drive that may have been compromised with the Floxif worm. Clean versions of the affected driver packages were subsequently verified by independent analysts and deemed safe for distribution.

Users who installed Procolored printer software between October 2024 and May 2025 are advised to delete earlier versions and install the updated packages. As of now, Procolored has not responded to further media inquiries regarding customer notification or disclosure procedures related to the incident.