Bitcoin stealer malware found in official printer drivers

Chinese printer manufacturer Procolored, based in Shenzhen, was found to have distributed official printer drivers infected with Bitcoin-stealing malware for at least six months.

This malware hijacked users’ clipboard contents to replace cryptocurrency wallet addresses with those controlled by attackers, resulting in the theft of approximately 9.3 BTC, worth over $950,000.

The infection was discovered when YouTuber Cameron Coward, while testing a Procolored UV printer, encountered antivirus alerts detecting a worm and trojan (named Foxif) embedded in the drivers supplied on a USB drive.

Subsequent investigation by cybersecurity firm G Data confirmed the presence of two distinct malware strains in the drivers: a backdoor remote access trojan (Win32.Backdoor.XRedRAT.A) and a crypto-stealer that altered clipboard data to hijack Bitcoin transactions.

Procolored initially denied the claims, attributing antivirus detections to false positives, but later admitted that the malware was introduced via infected USB drives used during software uploads.

The compromised drivers were hosted on Mega.nz cloud storage and made available globally until they were removed on May 8, 2025. Procolored has since conducted thorough malware scans, removed infected files, and released clean software versions.

Users who downloaded Procolored drivers in the past six months are strongly advised to perform full system antivirus scans, replace the old drivers with the clean versions, and consider a full system reset to ensure removal of malware remnants, especially since the clipboard hijacker modifies executable files and can cause persistent infections.

This incident highlights a significant supply chain attack affecting hardware drivers, emphasizing the need for vigilance even with official software sources.

It's me, @justmythoughts, an ordinary Hive user looking to make the most of the platform. I will appreciate your support. Follow me for more. Thanks, Gracias :)