For nearly six months, printer company Procolored unknowingly distributed malware through software downloads on its official website—putting users at serious risk of infection.
It all started with a tip from tech journalist Cameron Coward, who flagged a suspicious file on a USB drive that came with a Procolored printer. He alerted the company, but was told it was likely a false positive and that no threat existed. However, cybersecurity firm GData decided to dig deeper—and what they uncovered was far worse.
After scanning files available on Procolored’s download page, GData found 39 infected software packages, many hosted on cloud storage platform Mega.nz, with last updates dating back to October 2024. These files weren’t just carrying any malware—they were hosting a double threat.
Malware Duo: XRed Backdoor and CoinStealer Virus
The first malicious program, dubbed XRed, is a sophisticated Delphi-based backdoor. Once installed, it can record keystrokes, download new malware, take screenshots, manipulate files, and even open a remote shell for attackers to access the system directly. It’s also designed with worm-like features, enabling it to spread easily across networks.
But XRed wasn’t working alone.
Bundled inside it was CoinStealer, a powerful information-stealing virus designed to hijack cryptocurrency wallets. Beyond just collecting sensitive data, it actively watches a user’s clipboard and silently swaps out copied crypto wallet addresses with one belonging to the attacker—redirecting funds during transactions.
Worse still, GData found that CoinStealer is also a self-replicating virus, infecting executable files by attaching itself and relocating the originals. This strain, identified as SnipVex, turns a single infection into a system-wide outbreak—what GData calls a “superinfection.” All 39 software files on Procolored’s site were compromised in this way, suggesting the malware may have spread via a developer’s workstation or an infected build server.
One of the Bitcoin wallets linked to the operation has received over 9 BTC, which is worth more than $900,000, confirming that the attackers had real financial success using this technique.
Procolored Responds—But Only After the Damage Was Done
Initially, Procolored dismissed any malware concerns, stating their USB software was safe. But following GData’s detailed report, the company finally pulled the infected downloads from its website. A spokesperson said the malware may have been introduced via a flash drive used to transfer the files, and that the files are now under review. They plan to re-upload clean versions if deemed safe.
GData’s findings serve as a strong reminder that even trusted device manufacturers can become unwitting distributors of malware—especially when internal security practices, like antivirus scans or clean build environments, are neglected.
