Procolored printers have been spreading malware for six months
By ForGeeks Procolored accidentally distributed malware along with the official software for its printers for about six months. The threat affected devices shipping from the end of 2024 and could have harmed users who didn’t heed antivirus warnings.
Procolored specializes in UV, direct-to-garment (DTG) and film (DTF) printers. Its devices can cost up to $7,000 and are aimed primarily at small businesses.
How the infection was discovered and which viruses were involved
The first signals of driver infections were reported back at the beginning of the year on Reddit. However, the problem became widely publicized on May 13, 2025, when blogger Cameron Coward posted a review of the Procolored printer on Hackster.io. During the driver installation process, Windows Defender detected the Floxif virus in one of the archives and a malicious “worm” in another.
While installing the drivers, Windows Defender detected the Floxif virus in one of the archives and a malicious “worm” in another.
In response to Coward’s appeal, Procolored’s support team said it was an antivirus error. The blogger then submitted the files to specialists, including Carsten Hahn of G DATA CyberDefense, for analysis. They found that 39 installation files from Procolored’s official Mega page contained the XRedRAT and SnipVex viruses.
XRedRAT is a known remote access malware. It allows you to read your screen, capture keystrokes, and browse the contents of your disk. However, in this case, it was inactive: the management servers have been down since February 2024.
SnipVex turned out to be more dangerous. It is a previously unknown clipper virus that intercepts cryptocurrency transactions. It spreads via executable files and redirects transfers to a malicious Bitcoin address. Analysts found that 9.3 BTC (about $100,000) was transferred to this address. The last transaction took place on March 3, 2024.
Surprisingly, the Floxif virus was not detected in Procolored’s online distributions. Presumably Coward encountered it when installing it from the USB drive that came with the printer.
At the time, the Floxif virus was not found in Procolored’s online distributions.
Experts believe the infection occurred because of the company’s poor internal cybersecurity. Employees may have used the infected computers to prepare software, which spread the viruses.
According to experts, the infection was caused by the company’s poor internal cybersecurity.
There are no signs of a deliberate attack. The use of outdated malware and discontinued remote server activity indicate the incident was random. On May 8, 2025, Procolored temporarily disabled the download page and launched an internal investigation. A few days later, the updated site was back up and running, and experts confirmed that the new archives were safe.
The incident nonetheless raises questions about the company’s reliability. For months, customers have been receiving infected software, and support has repeatedly offered to connect to users’ computers via remote access.
The incident, however, raises questions about the company’s reliability.
Antiviruses including Windows Defender recognize XRedRAT and Floxif, but SnipVex remains undetectable. To remove it, you must completely format the disk and reinstall the system. The infection may not appear visually, but it continues to disrupt the PC.
Users who purchased Procolored devices after November 2024 are advised to check for exclusions in their antivirus. If Visual C++ or PrintExp is found among them, it may indicate the presence of a virus.
The story Procolored printers spent six months spreading malware was first published on ITZine.ru.
