Cryptostealing Malware Found in Printer Software Highlights Growing Supply Chain Threat

Representational image

This post is also available in: עברית (Hebrew)

A concerning cybersecurity incident has shed new light on the potential risks lurking in unexpected hardware—this time, printers. Users of certain devices from Procolored, a printer brand, may have unknowingly downloaded malware capable of stealing cryptocurrency such as Bitcoin (BTC), underscoring the growing threat of software supply chain attacks.

The malware was discovered after reports surfaced online, including from a tech content creator by the name of  Cameron Coward who received an antivirus alert linked to Procolored printer software. Upon further investigation, cybersecurity researchers fro G Data identified multiple forms of malicious code embedded in installation files made available on the manufacturer’s website.

Among the threats detected were Win32.Backdoor.XRedRAT.A, a remote access tool that opens the door to system compromise, and MSIL.Trojan-Stealer.CoinStealer.H, a variant designed to siphon off cryptocurrency wallets or alter wallet addresses stored in the clipboard—diverting funds directly to attackers. According to Cybernews, these files were last updated in October 2024 and distributed through official channels, likely compromising users who trusted the downloads as legitimate.

Although the company initially denied wrongdoing and suggested antivirus programs had flagged false positives, the software downloads were quietly removed from its site around May 8, 2025. The company later acknowledged that malware may have been introduced during the transfer of files via USB, and promised to reinstate the downloads only after passing comprehensive security scans.

Analysis of one of the attackers’ known wallet addresses revealed it had accumulated 9.3 BTC—worth approximately $985,000—across 330 transactions before being emptied. The threat actor’s method relied on user trust in the device software, an increasingly common vector in hardware-based attacks.

Cybersecurity experts are advising users of affected products to run full antivirus scans and examine any security exceptions made for printer-related files. In cases of deeper infection, reformatting all drives and reinstalling the operating system is the most reliable way to ensure a clean system.

This incident highlights a critical and expanding risk: malware doesn’t just hide in email links or rogue apps—it can also arrive via devices we consider safe, bringing with it significant financial consequences.