Printer Company Distributes Malicious Drivers Infected with XRed Malware

Procolored, a printer manufacturing company, has been found distributing software drivers infected with malicious code, including the notorious XRed backdoor malware.

The issue came to light when Cameron Coward, a YouTuber behind the channel Serial Hobbyism, attempted to review a $6,000 UV printer and encountered antivirus alerts upon plugging in a USB drive containing the printer software.

The alerts flagged a USB-spreading worm and a Floxif infection, a severe file infector known for attaching itself to Portable Executable files and spreading across network shares and removable drives.

This incident prompted an in-depth investigation into Procolored’s publicly available software downloads, hosted on mega.nz for six printer models, revealing a widespread malware distribution affecting 39 files, 20 of which had unique hashes.

Uncovering a Serious Security Breach

A detailed analysis of the infected files identified two primary threats: Win32.Backdoor.XRedRAT.A, a Delphi-based backdoor previously documented by eSentire in February 2024, and MSIL.Trojan-Stealer.CoinStealer.H, a .NET-based clipbanker dubbed SnipVex.

The XRed backdoor, present in files like PrintExp.exe (SHA256: 531d08606455898408672d88513b8a1ac284fdf1fe011019770801b7b46d5434), facilitates keylogging, file downloads, screenshots, and remote command execution via a cmd.exe shell.

Interestingly, its command-and-control servers have been offline since early 2024, limiting active remote exploitation risks.

However, the SnipVex virus, a prepending file infector, poses a persistent threat by targeting .exe files across logical drives, replacing Bitcoin addresses in the clipboard to divert transactions to the attacker’s wallet, which blockchain records show accumulated approximately $100,000.

SnipVex’s infection mechanism includes an infection marker (0x0A 0x0B 0x0C) to prevent superinfection and avoids system directories like %TEMP%, but its presence in legitimate software bundles suggests negligence in Procolored’s build or distribution systems, likely due to absent or failed antivirus scanning.

Malware Details and Potential Impact

Procolored initially dismissed the antivirus alerts as false positives but removed the downloads from their website around May 8, 2025, after persistent concerns.

Upon being provided with detailed malware analysis, the company acknowledged the possibility of infection during USB-based software transfers and committed to rigorous security checks before re-uploading files.

They have since provided clean software packages to affected users and issued guidance for customers to revoke any antivirus exclusions set for their software.

For those potentially infected, experts recommend a full system reformat and OS reinstallation due to the irreversible damage caused by file infectors like SnipVex, though original files may be recoverable by truncating the virus payload in non-superinfected instances.

According to the Report, this case underscores the critical need for robust security practices in software distribution, especially for hardware vendors whose products are trusted by consumers.

While speculation about intentional malware planting exists, the outdated nature of XRed and the inactive C2 infrastructure suggest accidental contamination over malice.

Procolored’s ongoing efforts to remediate the issue are a step forward, but the incident serves as a cautionary tale for users to remain vigilant about software sources, even from official vendors.

Indicators of Compromise (IoCs)