Mirax RAT

A newly identified Android remote access trojan, Mirax, is actively targeting Spanish-speaking regions through large-scale social media campaigns. Threat actors have leveraged advertisements on platforms such as Facebook, Instagram, Messenger, and Threads, reaching over 220,000 accounts. This widespread exposure highlights a calculated effort to exploit trusted advertising ecosystems for malware distribution.

Advanced Remote Control Capabilities

Mirax operates as a highly capable Remote Access Trojan (RAT), granting attackers full, real-time control over compromised devices. Its functionality extends beyond standard RAT operations, enabling surveillance and interaction with infected systems at a granular level. Capabilities include keystroke logging, photo exfiltration, lock screen data collection, command execution, interface navigation, and continuous monitoring of user activity.

Additionally, the malware can retrieve and display dynamic HTML overlays from its Command-and-Control (C2) infrastructure, facilitating credential harvesting through deceptive interfaces.

Turning Victims into Proxy Infrastructure

A defining characteristic of Mirax is its ability to convert infected devices into residential proxy nodes. By incorporating SOCKS5 protocol support alongside Yamux multiplexing, the malware establishes persistent proxy channels that route attacker traffic through legitimate user IP addresses. This functionality enables adversaries to bypass geolocation restrictions, evade fraud detection mechanisms, and conduct malicious activities such as account takeovers with enhanced anonymity and credibility.

Malware-as-a-Service with Exclusive Access

Mirax is marketed as a Malware-as-a-Service (MaaS) offering under the name 'Mirax Bot.' Access to the full-featured version is priced at $2,500 for a three-month subscription. At the same time, a reduced variant is available for $1,750 per month, lacking features such as proxy functionality and Google Play Protect bypass capabilities. Unlike typical MaaS platforms, distribution is tightly controlled and restricted to a limited group of affiliates, primarily Russian-speaking actors with established reputations in underground forums. This exclusivity suggests a deliberate focus on operational security and sustained campaign effectiveness.

Social Engineering Through Malicious Advertising

The infection chain relies heavily on deceptive advertising campaigns hosted on Meta platforms. These advertisements promote fraudulent streaming services offering free access to live sports and movies, enticing users to download malicious applications. Multiple ads have been identified, with a strong focus on users in Spain. One campaign alone, launched on April 6, 2026, reached nearly 191,000 users, demonstrating the scale and effectiveness of this distribution strategy.

Sophisticated Delivery and Evasion Techniques

Mirax employs a multi-stage infection process designed to evade detection and analysis. Dropper applications are distributed via web pages that enforce strict access checks, ensuring only mobile users can proceed while blocking automated security scans. The malicious APK files are hosted on GitHub, further blending into legitimate infrastructure.

Once executed, the dropper prompts users to enable installation from unknown sources, initiating a complex payload extraction process engineered to bypass sandboxing and security tools. The malware then disguises itself as a video playback application and requests accessibility service permissions, granting it extensive control over device operations while running silently in the background. A fake installation failure message is displayed to mislead users, while malicious overlays conceal ongoing activity.

The campaign has utilized several deceptive application identities:

StreamTV (org.lgvvfj.pluscqpuj or org.dawme.secure5ny) – functioning as the dropper

Reproductor de video (org.yjeiwd.plusdc71 or org.azgaw.managergst1d) – delivering the Mirax payload

Command-and-Control Architecture and Communication Channels

Mirax establishes multiple bidirectional communication channels with its C2 servers, enabling efficient task execution and data exfiltration. Distinct WebSocket connections are used for different operational purposes:

• Port 8443 handles remote access management and command execution.
• Port 8444 supports remote streaming and data exfiltration.
• Port 8445 (or custom ports) facilitates SOCKS5-based residential proxy operations.

This segmented architecture enhances reliability and operational flexibility while complicating detection efforts.

A New Phase in Cybercriminal Operations

The integration of RAT and residential proxy capabilities signals a significant evolution in mobile threat design. Historically, proxy botnets were associated with compromised IoT devices or low-cost Android hardware such as smart TVs. Mirax represents a shift toward embedding these capabilities within full-featured banking trojans, dramatically increasing both the value of each infection and the versatility of attacker operations.

By combining financial fraud mechanisms with proxy infrastructure, Mirax enables threat actors to simultaneously exploit victims directly and leverage their devices as assets in broader cybercriminal ecosystems.