{"id":134078,"date":"2025-05-19T22:21:23","date_gmt":"2025-05-19T22:21:23","guid":{"rendered":"https:\/\/teknomers.com\/en\/procolored-printer-drivers-distribute-trojan-stealing-950k-in-bitcoin\/"},"modified":"2025-05-19T22:21:23","modified_gmt":"2025-05-19T22:21:23","slug":"procolored-printer-drivers-distribute-trojan-stealing-950k-in-bitcoin","status":"publish","type":"post","link":"https:\/\/teknomers.com\/en\/procolored-printer-drivers-distribute-trojan-stealing-950k-in-bitcoin\/","title":{"rendered":"Procolored Printer Drivers Distribute Trojan, Stealing $950K in Bitcoin"},"content":{"rendered":"<div class=\"su-note\" style=\"border-color:#e0d5e5;border-radius:3px\">\n<div class=\"su-note-inner su-u-clearfix su-u-trim\" style=\"background-color:#FAEFFF;border-color:#ffffff;color:#333333;border-radius:3px\">\n<p><strong>Key Takeaways:<\/strong><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Procolored\u2019s official driver downloads contained XRedRAT (a remote access trojan) and SnipVex (a Bitcoin clipboard hijacker).<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">The malware, linked from Procolored\u2019s own support site, swapped copied Bitcoin addresses to redirect funds to attackers, netting around 9.3 BTC.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">After public exposure, Procolored\u2019s parent company, Tiansheng, removed the infected files, blaming the breach on USB cross-contamination.<\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\n<p>Chinese printer manufacturer <strong>Procolored<\/strong> has been found distributing malware through its official printer drivers, exposing users to serious cybersecurity risks. The malicious software, which included a remote access trojan and a cryptocurrency stealer, appears to have been embedded in Procolored\u2019s companion software for at least six months.<\/p>\n<p>Procolored, based in <strong>Shenzhen, China<\/strong>, specializes in digital printing solutions such as DTF, UV, and DTG printers. Since its founding in 2018, the company has expanded rapidly, selling in over 30 countries, including the <strong>U.S.<\/strong>, where it has a vast customer base.<\/p>\n<h2>Malware Found in Procolored Printer Software, Impacting Users Globally<\/h2>\n<p>According to local news media, the issue was first highlighted by YouTuber <strong>Cameron Coward<\/strong>, known as Serial Hobbyism, who detected malware on his system after installing drivers for a $7,000 Procolored UV printer. His antivirus flagged a worm known as <strong>Floxif<\/strong>.<\/p>\n<p>Coward initially contacted the company, which denied any wrongdoing and claimed the alert was a false positive. \u201cIf I try to download the files from their website or unzip the files on the USB drive they gave me, my computer immediately quarantines them,\u201d Coward reported.<\/p>\n<p>Seeking clarity, Coward turned to <strong>Reddit<\/strong> for assistance. This led to a more in-depth investigation by Karsten Hahn, a researcher at cybersecurity firm <strong>G Data<\/strong>.<\/p>\n<p>Hahn confirmed the presence of two malware strains: <strong>XRedRAT<\/strong>, a remote access trojan capable of keystroke logging and remote control functions, and <strong>SnipVex<\/strong>, a previously unknown clipboard hijacker specifically targeting Bitcoin addresses. The malware was traced to at least six Procolored printer models, with infected files hosted on <strong>Mega<\/strong>, linked directly from Procolored\u2019s official support site. A total of 39 compromised files were discovered.<\/p>\n<p>The malicious software replaced copied Bitcoin wallet addresses with those controlled by attackers, effectively redirecting funds from unsuspecting users. A staggering 9.3 BTC, worth over $953,000, has been reported stolen. A crypto tracking and compliance firm, <strong>Slow Mist<\/strong>, elaborated on the malware&#8217;s operation:<\/p>\n<p>\u201cThe official driver provided by this printer carries a backdoor program. It will hijack the wallet address in the user\u2019s clipboard and replace it with the attacker\u2019s address.\u201d<\/p>\n<p>G Data contacted Tiansheng, the parent company of Procolored, who responded by stating that they had removed the affected drivers and rescanned all files as of May 8, 2025. The company claimed that the infection likely occurred during USB transfers between systems before the files were uploaded online.<\/p>\n<p>Users are now urged to perform thorough scans of their systems. Experts recommend a complete system reinstall for anyone who has used the infected drivers. New, clean driver files are reportedly available but must be requested directly from Tiansheng\u2019s technical support.<\/p>\n<h2>Chinese Marketplaces and U.S. Fronts Fuel Southeast Asian Fraud Rings<\/h2>\n<p>The discovery of Bitcoin-stealing malware in Procolored\u2019s official printer drivers coincides with a broader wave of cybercrime originating in China and spreading throughout Southeast Asia.<\/p>\n<p>On May 18, blockchain firm <strong>Elliptic<\/strong> linked a Colorado-incorporated entity to a Chinese-language Telegram marketplace called <strong>Xinbi Guarantee<\/strong>, a platform used to facilitate large-scale crypto scams. Xinbi has processed over $8.4 billion in stablecoin transactions, primarily USDT, since its inception.<\/p>\n<p>This platform offers various illicit services ranging from money laundering and fake IDs to tech hardware and stolen personal data. It operates on a \u201cguarantee\u201d model requiring vendor deposits to maintain trust among criminals.<\/p>\n<p>Xinbi was registered in the U.S. in 2022 under the name Xinbi Co. Ltd and was flagged as delinquent in early 2025 for failing to file necessary reports. Elliptic suggests that the group\u2019s crypto activities may also have ties to North Korean hackers.<\/p>\n<p>These operations reveal a growing underground economy fueled by stablecoins and an alarming rise in cyber fraud.<\/p>\n<p>The rapid evolution of this type of cybersecurity threat poses intimidating challenges for users, especially those relying on third-party software and drivers. Always ensure that your software downloads are from secured and verified sources to minimize risks associated with malware.<\/p>\n<p>The post Procolored Printer Drivers Slip Bitcoin-Stealing Trojan, Draining $950K from Users highlights the pressing need for heightened vigilance in the ever-evolving landscape of digital piracy and fraud.<\/p>\n<p><a href=\"https:\/\/teknomers.com\/en\/category\/finance\/\">Finance and Crypto News-10<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Key Takeaways: Procolored\u2019s official driver downloads contained XRedRAT (a remote access trojan) and SnipVex (a Bitcoin clipboard hijacker). The malware, linked from Procolored\u2019s own support site, swapped copied Bitcoin addresses to redirect funds to attackers, netting around 9.3 BTC. After public exposure, Procolored\u2019s parent company, Tiansheng, removed the infected files, blaming the breach on USB [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":108984,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23832],"tags":[],"class_list":["post-134078","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-finance"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts\/134078","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/comments?post=134078"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts\/134078\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/media\/108984"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/media?parent=134078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/categories?post=134078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/tags?post=134078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}