
In a report of supply chain mishaps and neglected digital hygiene, a $6,000 UV printer review turned into a malware investigation after tech YouTuber Cameron Coward (of Serial Hobbyism) discovered malicious payloads embedded in the software provided by printer manufacturer Procolored.
What started as a suspicious antivirus alert led to a deep dive by Karsten Hahn, Principal Malware Researcher at G DATA, who found not one – but multiple strains of malware, including a Delphi backdoor and a previously undocumented clipbanker virus, inside the official software downloads.
- XRedRAT Backdoor: A Delphi-based malware dating back to at least 2019, with capabilities including keylogging, remote shell access, file deletion, and directory listing.
- SnipVex (New Virus): A .NET-based clipbanker designed to replace Bitcoin addresses in the clipboard, while also infecting .exe files with a simple prepending technique.
The saga began when Coward plugged in a USB stick from Procolored, prompting antivirus warnings about a USB-spreading worm and a Floxif infection. Although Procolored initially dismissed the alerts as false positives, Coward turned to Reddit, where Hahn stepped in to analyze the files.
Upon investigating Procolored’s download section, Hahn reported: “An antivirus scan reveals signature matches for 39 files, 20 of them with unique hashes,” with detections including Win32.Backdoor.XRedRAT.A and MSIL.Trojan-Stealer.CoinStealer.H.
While the clipbanker code was laughably simple—just eight lines—its behavior was anything but. Hahn named the virus SnipVex, noting: “This clipbanker is a virus that infects .exe files… It monitors changes in .exe files across all logical drives and avoids reinfection with a marker sequence: 0x0A 0x0B 0x0C.”
The infected PrintExp.exe file even contained two payloads:
- The XRed backdoor, which executed first.
- The SnipVex virus, prepended and injected stealthily.
This dual infection, or superinfection, was likely the result of malware propagation on a poorly secured developer or build system.
The SnipVex campaign had a financial motive. Hahn traced the attacker’s wallet to approximately 9.3 BTC, or $100,000 USD, accumulated before transactions stopped on March 3, 2024.
After public pressure, Procolored removed the infected downloads and issued a statement acknowledging: “It is possible that a virus was introduced during [USB] transfer… We are conducting a comprehensive malware scan and will only re-upload software after security checks.”
G DATA confirmed that the company’s new software packages are now clean.
Hahn urged affected users to:
- Check antivirus exclusions that may have allowed malware to slip through.
- Reformat infected systems, particularly due to the file-damaging nature of SnipVex and the systemic risk of superinfections.
- Avoid dismissing AV alerts even when software comes from “trusted” vendors.
“The safest remedy for an infection with file infectors is reformatting of all drives and reinstallation of the operating system,” Hahn emphasized.