Recent reports from Chinese media have unveiled a troubling situation involving Procolored, a printer manufacturer based in Shenzhen. The company has been accused of distributing malware designed to steal Bitcoin alongside its official printer drivers. According to Landian News, the malware was embedded in USB drivers and subsequently uploaded to cloud storage for global access.
The scale of the theft is significant, with approximately 9.3 BTC, valued at over 3,000, reportedly pilfered. A crypto tracking and compliance firm, Slow Mist, detailed the malware’s operation, explaining that the compromised drivers contain a backdoor program capable of hijacking wallet addresses copied to the clipboard, replacing them with addresses controlled by the attackers.
YouTuber flags malware in Procolored drivers
In light of these revelations, Landian News has advised users who downloaded Procolored printer drivers in the past six months to conduct a comprehensive system scan using antivirus software. However, given the inconsistent efficacy of such tools, they recommend a complete system reset as a more reliable precaution: “Ideally, you should reinstall your operating system and thoroughly check old files.”
The issue first came to light through YouTuber Cameron Coward, whose antivirus software flagged the presence of malware while he was testing a Procolored UV printer. The software identified the drivers as containing a worm and a trojan virus known as Foxif.
Cybersecurity company confirms crypto-stealing malware
Upon inquiry, Procolored denied the allegations, labeling the antivirus alerts as false positives. Coward took to Reddit to share his findings, which caught the attention of cybersecurity professionals and led to an investigation by G-Data. Their analysis revealed that many of Procolored’s drivers were hosted on the file-sharing service MEGA, with some uploads dating back to October 2023. Their examination confirmed the presence of two distinct malware types: the backdoor Win32.Backdoor.XRedRAT.A and a crypto stealer that replaces clipboard addresses with those of the attacker.
Following G-Data’s investigation, Procolored acknowledged the issue, stating that they had removed the infected drivers from their storage on May 8 and had re-scanned all files. The company attributed the malware to a supply chain compromise, claiming that the malicious files were introduced via infected USB devices before being uploaded online.
