A nascent Android distant entry trojan known as Mirax has been noticed actively focusing on Spanish-speaking nations, with campaigns reaching greater than 220,000 accounts on Fb, Instagram, Messenger, and Threads by way of ads on Meta.
“Mirax integrates advanced Remote Access Trojan (RAT) capabilities, allowing threat actors to fully interact with compromised devices in real time,” Italian on-line fraud prevention agency Cleafy mentioned.
“Beyond traditional RAT behavior, Mirax enhances its operational value by turning infected devices into residential proxy nodes. Leveraging SOCKS5 protocol support and Yamux multiplexing, it establishes persistent proxy channels that allow attackers to route their traffic through the victim’s real IP address.”
Particulars of Mirax first emerged final month when Outpost24’s KrakenLabs revealed {that a} risk actor going by the identify “Mirax Bot” has been promoting a non-public malware-as-a-service (MaaS) providing on underground boards for $2,500 for a three-month subscription. Additionally accessible for $1,750 per 30 days is a light-weight variant that removes sure options just like the proxy and the power to bypass Google Play Shield utilizing a crypter.
Like different Android malware, Mirax helps the power to seize keystrokes, steal pictures, collect lock display screen particulars, run instructions, navigate the consumer interface, and monitor consumer exercise on the compromised machine. It may dynamically fetch HTML overlay pages from a command-and-control (C2) server to be rendered over reputable purposes for credential theft.
The incorporation of a SOCKS proxy, then again, is a comparatively lesser-known characteristic that units it aside from typical RAT habits. The proxy botnet presents a number of benefits in that it permits risk actors to get round geolocation-based restrictions, evade fraud detection methods, and conduct account takeovers or transaction fraud beneath the guise of elevated anonymity and legitimacy.
“Unlike typical MaaS offerings, Mirax is distributed through a highly controlled and exclusive model, limited to a small number of affiliates,” researchers Alberto Giust, Alessandro Strino, and Federico Valentini mentioned. “Access appears to be prioritized for Russian-speaking actors with established reputations in underground communities, indicating a deliberate effort to maintain operational security and campaign effectiveness.”
Assault chains distributing the malware use Meta advertisements to advertise dropper app internet pages, tricking unsuspecting customers into downloading them. As many as six advertisements have been noticed actively promoting a streaming service with free entry to stay sports activities and flicks. Of these, 5 advertisements are directed in opposition to customers in Spain. One of the advertisements, which began working on April 6, 2026, has a attain of 190,987 accounts.
The dropper app URLs implement plenty of checks to make sure that they’re accessed from cellular gadgets and to stop automated scans from revealing their true colour. The names of the malicious apps are listed under –
- StreamTV (org.lgvvfj.pluscqpuj or org.dawme.secure5ny) – Dropper app
- Reproductor de video (org.yjeiwd.plusdc71 or org.azgaw.managergst1d) – Mirax
A notable side of the marketing campaign is using GitHub to host the malicious dropper APK recordsdata. In addition, the builder panel presents the power to decide on between two crypters – Virbox and Golden Crypt (aka Golden Encryption) – for enhanced APK safety.
As soon as put in, the dropper instructs customers to permit set up from unknown sources to deploy the malware. The technique of extracting the ultimate payload is a “sophisticated, multi-stage operation” that is designed to sidestep safety evaluation and automatic sandboxing instruments.
The malware, after getting put in on the machine, masquerades as a video playback utility and prompts the sufferer to allow accessibility companies, thereby permitting it to run within the background, show a pretend error message stating the set up was unsuccessful, and serve bogus overlays to hide malicious actions.
It additionally establishes a number of bidirectional C2 channels for tasking and knowledge exfiltration –
- WebSocket on port 8443, to handle distant entry and execute distant instructions.
- WebSocket on port 8444, to handle distant streaming and knowledge exfiltration.
- WebSocket on port 8445 (or a customized port), to arrange the residential proxy utilizing SOCKS5.
“This convergence of RAT and proxy capabilities reflects a broader shift in the threat landscape,” Cleafy mentioned. “While residential proxy abuse has historically been associated with compromised IoT devices and low-cost Android hardware such as smart TVs, Mirax marks a new phase by embedding this functionality within a full-featured banking trojan.”
“This approach not only increases the monetization potential of each infection but also expands the operational scope of attackers, who can now leverage compromised devices for both direct financial fraud and as infrastructure for wider cybercriminal activities.”
The disclosure comes as Breakglass Intelligence detailed an Arabic-language Android RAT known as ASO RAT that is distributed through apps disguised as PDF readers and Syrian authorities purposes.
“The platform provides full device compromise capabilities – SMS interception, camera access, GPS tracking, call logging, file exfiltration, and DDoS launching from victim devices,” the firm mentioned. “A multi-user panel with role-based access control suggests this operates as a RAT-as-a-Service or supports a multi-operator team.”
It is presently not identified what the precise finish targets of the marketing campaign are, however Syria-themed lures for the apps (e.g., SyriaDefenseMap and GovLens) counsel that it could be focusing on people with an curiosity in Syrian army or governance issues as a part of what’s suspected to be a surveillance operation.
