GAPTEKZONEeditors select and review products
independently
. If you buy through affiliate links, we may earn commissions, which help support our
testing
.
If you own a
printer
from China-based Procolored, watch out: The company’s driver files are full of
malware
, including a Windows-based backdoor.
Karsten Hahn, a researcher at cybersecurity vendor G Data,
reported
the findings on Thursday. “A printer company provided infected printer software for half a year,” he said.
Hahn began investigating after YouTuber Cameron Coward at
Serial Hobbyism
received a printer from Procolored, a provider of direct-to-film printers, which can be used for creating custom T-shirts. While testing the printer for a review, the built-in antivirus
Windows Defender
and Google’s Chrome browser alerted him of malware threats on his PC.
His computer had been hit with
Floxif
, a powerful malware that can change Windows executables and install other malicious code. It can also spread itself through connected USB drives. Coward’s PC received the malware alert after installing software
from
a ZIP folder on the “USB thumb drive Procolored supplied with the printer.”
Even though Procolored, a firm based in Shenzhen, asserted that the malware warnings were merely false alarms, Coward
posted
A request was made on Reddit asking a third-party security researcher to verify the findings. Hahn from G Data started looking into it and followed the threat back to the printer driver files located on Procolored’s website.
(Credit: Mega.nz/Procolored)
Interestingly, Procolored still maintains the printer driver files for six items on a third-party Mega.nz file-sharing account managed by Hahn.
antivirus
The scan revealed that 39 files set off two types of malware alerts: one was linked to a cryptocurrency wallet stealer, while the second was identified as a Windows PC backdoor known as XRed.
Hahn believes that the malevolent driver files have been in circulation for approximately six months, as indicated by the Mega.nz directory showing numerous file updates around this timeframe. During his probe, he found signs suggesting these driver files were initially altered on an infected system that had contracted various types of malware multiple times. This recurring contamination could be what led to Hahn’s computer contracting the Floxif infection.
Procolored did not promptly reply to requests for comments. However, the firm informed Hahn that they believe the driver files might have been altered using an infected USB drive. “The software we uploaded onto our site was first moved via USB drives; thus, it’s plausible that a virus entered at that stage,” stated Procolored.
“As a precaution, all software has been temporarily removed from the Procolored official website,” the company added. “We are conducting a comprehensive malware scan of every file. Only after passing stringent virus and security checks will the software be re-uploaded. This is a top priority for us, and we are taking it very seriously.”
The statement further indicates that Procolored intends to inform customers about the incident and update their website once “all software has undergone comprehensive review and verified as secure.” Hahn mentions that he has obtained copies of the updated driver files and confirms that these seem to be free from issues.
Some might speculate that Procolored deliberately planted the malware. But in his blog post, Hahn wrote, “a far more plausible explanation points to the absence or failure of antivirus scanning on the systems used to compile and distribute the software packages.” That’s because the
command-and-control server
for the backdoor malware XRed appears to have been offline since February 2024, reducing the threat’s severity.
Meanwhile, Hahn suggests that impacted users might want to think about reinstalling the Windows operating system to completely eliminate the threat. He pointed out, “Some individuals may have overlooked antivirus alerts, believing the files were harmless. Doing so could result in the malware staying hidden.”
