Key Takeaways:
- Procolored’s official driver downloads contained XRedRAT (a remote access trojan) and SnipVex (a Bitcoin clipboard hijacker).
- The malware, linked from Procolored’s own support site, swapped copied Bitcoin addresses to redirect funds to attackers, netting around 9.3 BTC.
- After public exposure, Procolored’s parent company, Tiansheng, removed the infected files, blaming the breach on USB cross-contamination.
Chinese printer manufacturer Procolored has been found distributing malware through its official printer drivers, exposing users to serious cybersecurity risks. The malicious software, which included a remote access trojan and a cryptocurrency stealer, appears to have been embedded in Procolored’s companion software for at least six months.
Procolored, based in Shenzhen, China, specializes in digital printing solutions such as DTF, UV, and DTG printers. Since its founding in 2018, the company has expanded rapidly, selling in over 30 countries, including the U.S., where it has a vast customer base.
Malware Found in Procolored Printer Software, Impacting Users Globally
According to local news media, the issue was first highlighted by YouTuber Cameron Coward, known as Serial Hobbyism, who detected malware on his system after installing drivers for a $7,000 Procolored UV printer. His antivirus flagged a worm known as Floxif.
Coward initially contacted the company, which denied any wrongdoing and claimed the alert was a false positive. “If I try to download the files from their website or unzip the files on the USB drive they gave me, my computer immediately quarantines them,” Coward reported.
Seeking clarity, Coward turned to Reddit for assistance. This led to a more in-depth investigation by Karsten Hahn, a researcher at cybersecurity firm G Data.
Hahn confirmed the presence of two malware strains: XRedRAT, a remote access trojan capable of keystroke logging and remote control functions, and SnipVex, a previously unknown clipboard hijacker specifically targeting Bitcoin addresses. The malware was traced to at least six Procolored printer models, with infected files hosted on Mega, linked directly from Procolored’s official support site. A total of 39 compromised files were discovered.
The malicious software replaced copied Bitcoin wallet addresses with those controlled by attackers, effectively redirecting funds from unsuspecting users. A staggering 9.3 BTC, worth over $953,000, has been reported stolen. A crypto tracking and compliance firm, Slow Mist, elaborated on the malware’s operation:
“The official driver provided by this printer carries a backdoor program. It will hijack the wallet address in the user’s clipboard and replace it with the attacker’s address.”
G Data contacted Tiansheng, the parent company of Procolored, who responded by stating that they had removed the affected drivers and rescanned all files as of May 8, 2025. The company claimed that the infection likely occurred during USB transfers between systems before the files were uploaded online.
Users are now urged to perform thorough scans of their systems. Experts recommend a complete system reinstall for anyone who has used the infected drivers. New, clean driver files are reportedly available but must be requested directly from Tiansheng’s technical support.
Chinese Marketplaces and U.S. Fronts Fuel Southeast Asian Fraud Rings
The discovery of Bitcoin-stealing malware in Procolored’s official printer drivers coincides with a broader wave of cybercrime originating in China and spreading throughout Southeast Asia.
On May 18, blockchain firm Elliptic linked a Colorado-incorporated entity to a Chinese-language Telegram marketplace called Xinbi Guarantee, a platform used to facilitate large-scale crypto scams. Xinbi has processed over $8.4 billion in stablecoin transactions, primarily USDT, since its inception.
This platform offers various illicit services ranging from money laundering and fake IDs to tech hardware and stolen personal data. It operates on a “guarantee” model requiring vendor deposits to maintain trust among criminals.
Xinbi was registered in the U.S. in 2022 under the name Xinbi Co. Ltd and was flagged as delinquent in early 2025 for failing to file necessary reports. Elliptic suggests that the group’s crypto activities may also have ties to North Korean hackers.
These operations reveal a growing underground economy fueled by stablecoins and an alarming rise in cyber fraud.
The rapid evolution of this type of cybersecurity threat poses intimidating challenges for users, especially those relying on third-party software and drivers. Always ensure that your software downloads are from secured and verified sources to minimize risks associated with malware.
The post Procolored Printer Drivers Slip Bitcoin-Stealing Trojan, Draining $950K from Users highlights the pressing need for heightened vigilance in the ever-evolving landscape of digital piracy and fraud.

