Proprietary 2024-10-01 · 219 days ·Backdoor, Credential Theft, File Infection

Procolored printer downloads served malware

Procolored printer software links led to infected Mega-hosted downloads for months. G DATA found XRed backdoor files and the SnipVex clipbanker/file infector.

Story

The Procolored case began with a hardware review. A reviewer plugged in vendor-supplied software media for a V11 Pro DTO UV printer and saw antivirus alerts. Procolored initially described the detections as false positives.

G DATA then checked Procolored's public software downloads. The vendor site linked six product download folders hosted on Mega, with files last updated around October 2024. Antivirus scanning found 39 infected files across the public download set.

The malware mix was messy, which matters. PrintExp.exe carried XRed, a Delphi backdoor with keylogging, screenshots, file operations, downloads, command shell access, and a bundled clean program resource. Other files carried SnipVex, a .NET clipbanker and prepending file infector that monitored drives for .exe files and replaced cryptocurrency addresses in the clipboard.

G DATA favored poor hygiene over a targeted implant: old malware, inactive C2, and file-infection spread through software preparation or distribution systems. Procolored removed the downloads around 2025-05-08, investigated, and later provided clean replacement packages for verification.

Affected Artifacts

v11 Pro DTO

procolored website download · procolored.com · Binary Archive
Observed
2024-10-01 to 2025-05-08
Compromised Versions
Unknown
Fixed
Not listed
  • G DATA reported six Procolored product download folders on Mega; shared malware hashes remain at the attack level because not every hash is mapped to a product folder. Hackster's review is the primary first-hand account of the vendor-supplied USB media finding.

Incident Context

Motive
Financial Gain
Cause
Compromised Distribution
Transitive
Yes
User Impact
1000

Indicators

  • Hashsha256:531d08606455898408672d88513b8a1ac284fdf1fe011019770801b7b46d5434
  • Hashsha256:39df537aaefb0aa31019d053a61fabf93ba5f8f3934ad0d543cde6db1e8b35d1
  • Hashsha256:84ef938a63641cf95a87ceaeb3b4893eb720fb5b42a5f42021c29ba11bda0f39
  • Hashsha256:b14c855ad7600ac9fda2c46b290acac1342d0e08dc1a95901504d8c5aa206606
  • Hashsha256:81de4cedda6109eacc9a3903a30e3a11622668ce6af533f94beadad052f591fb

External References

Source record: proprietary/procolor/meta.yaml