Printer Company Caught Distributing Bitcoin-Stealing Malware

From now on, in order to protect your bitcoin (BTC) or other cryptoassets, you'll need not only to watch what you're clicking online, but also what printer you're buying

A printer company was caught distributing bitcoin (BTC)-stealing malware, researchers at G Data discovered.

First discovered by Cameron Coward, the YouTuber behind the channel Serial Hobbyism, and discussed on Reddit, the issue caught the attention of the cybersecurity firm.

Their Principal Malware Researcher, Karsten Hahn, said he discovered that the threat actor's address received 9.3 BTC ($985,000), potentially from users of printers made by Procolored. The address, which saw 330 transactions in total, is currently empty.

After the YouTuber received an antivirus alert about a USB-spreading malware and a Floxif infection, considered one of the most severe types of infection, Hahn checked downloads for six Procolored products.

Among the files, last updated in October 2024, he found Win32.Backdoor.XRedRAT.A, a backdoor, and MSIL.Trojan-Stealer.CoinStealer.H, a stealer that either exfiltrates cryptocurrency wallets or replaces addresses in the clipboard with the attackers’ address.

However, the researcher didn’t find Floxif in the download section.

Meanwhile, initially, Procolored denied that they were spreading the malware, providing various explanations as to why antivirus programs might misidentify their software as false positives.

"Nevertheless, they took down the software downloads from their website, which we noticed around the 8th of May 2025, and started an internal investigation," Hahn said, suggesting that a plausible explanation is the absence or failure of antivirus scanning on the systems used to compile and distribute the software packages.

In a response to the researcher, the company suggested that the virus was injected during the process of transferring the software from USB drives to their website. The company also claims that the software will be re-uploaded "only after passing stringent virus and security checks."

In the meantime, Hahn recommends Procolored product users check whether any antivirus exclusions have been set for the printer software files, as people might have dismissed antivirus warnings.

"The safest remedy for an infection with file infectors is reformatting all drives and reinstalling the operating system," the researcher said, adding that despite transactions to the BTC address stopping on March 3rd, 2024, the file infection itself still damages systems.