Procolored Printer Drivers Slip Bitcoin-Stealing Trojan, Draining $950K from Users

Key Takeaways:

• Procolored’s official driver downloads contained XRedRAT (a remote access trojan) and SnipVex (a Bitcoin clipboard hijacker).
• The malware, linked from Procolored’s own support site, swapped copied Bitcoin addresses to redirect funds to attackers, netting around 9.3 BTC.
• After public exposure, Procolored’s parent company, Tiansheng, removed the infected files, blaming the breach on USB cross-contamination.

Chinese printer manufacturer Procolored has been found distributing malware through its official printer drivers, exposing users to serious cybersecurity risks. The malicious software, which included a remote access trojan and a cryptocurrency stealer, appears to have been embedded in Procolored’s companion software for at least six months.

Procolored, based in Shenzhen, China, specializes in digital printing solutions such as DTF, UV, and DTG printers.

Since its founding in 2018, the company has expanded rapidly, selling in over 30 countries, including the U.S., where it has a big customer base.

According to local news media, the issue came to light when YouTuber Cameron Coward, known as Serial Hobbyism, detected malware on his system after installing drivers for a $7,000 Procolored UV printer. His antivirus flagged a worm known as Floxif.

Coward initially contacted the company, which denied any wrongdoing and claimed the alert was a false positive. “If I try to download the files from their website or unzip the files on the USB drive they gave me, my computer immediately quarantines them,” Coward said.

Seeking clarity, Coward turned to Reddit for help. That led to a deeper investigation by Karsten Hahn, a researcher at cybersecurity firm G Data.

Hahn confirmed the presence of two pieces of malware: XRedRAT, a remote access trojan capable of keystroke logging and remote control, and SnipVex, a previously unknown clipboard hijacker targeting Bitcoin addresses.

The malware was traced to at least six Procolored printer models, with infected files hosted on Mega, linked directly from Procolored’s official support site. A total of 39 compromised files were found.

The malware replaced copied Bitcoin wallet addresses with ones controlled by attackers, stealing funds from unsuspecting users.

A total of 9.3 BTC worth over $953,000 has been stolen, according to the report. Crypto tracking and compliance firm Slow Mist described how the malware operates in a May 19 X post:

“The official driver provided by this printer carries a backdoor program. It will hijack the wallet address in the user’s clipboard and replace it with the attacker’s address.“

The official driver provided by this printer carries a backdoor program. It will hijack the wallet address in the user's clipboard and replace it with the attacker's address: 1BQZKqdp2CV3QV5nUEsqSg1ygegLmqRygj

According to @MistTrack_io, the attacker has stolen 9.3086… https://t.co/DHCkEpHhuH pic.twitter.com/W1AnUpswLU

G Data contacted Tiansheng, the parent company of Procolored. The firm responded that it had removed the affected drivers and rescanned all files as of May 8, 2025.

The company claimed the infection likely occurred during USB transfers between systems before the files were uploaded online.

Users are now urged to scan their systems thoroughly. Experts recommend a full system reinstall for anyone who has used the infected drivers. New, clean driver files are reportedly available but must be requested directly from Tiansheng’s technical support.

The discovery of Bitcoin-stealing malware in Procolored’s official printer drivers comes amid a wider wave of cybercrime infrastructure originating in China and spreading across Southeast Asia.

On May 18, blockchain firm Elliptic linked a Colorado-incorporated entity to a Chinese-language Telegram marketplace called Xinbi Guarantee, a platform used to facilitate large-scale crypto scams.

Xinbi has processed over $8.4 billion in stablecoin transactions, primarily USDT, since its inception. The platform offers illicit services ranging from money laundering and fake IDs to tech hardware and stolen personal data.

It operates on a “guarantee” model, requiring vendor deposits to maintain trust among criminals.

Xinbi was registered in the U.S. in 2022 under the name Xinbi Co. Ltd. The company was flagged as delinquent in early 2025 for failing to file reports. Elliptic suggests the group’s crypto activity may also be tied to North Korean hackers.

Xinbi follows Huione Guarantee, another Chinese marketplace exposed in 2024 for facilitating $98 billion in transactions.

These networks reveal a growing underground economy powered by stablecoins and an alarming rise in cyber fraud.

The post Procolored Printer Drivers Slip Bitcoin-Stealing Trojan, Draining $950K from Users appeared first on Cryptonews.