A newly identified remote access trojan (RAT), known as Mirax, is posing a significant threat to Android users throughout Europe, according to a recent warning from the fraud management company Cleafy.
Emergence and Distribution of Mirax
First appearing on underground forums in December 2025, Mirax has been actively used in multiple malicious campaigns since March. Offered as malware-as-a-service (MaaS) to a select group of affiliates, primarily Russian-speaking cybercriminals, the malware is available through subscription-based plans.
Mirax not only functions as a RAT but also converts infected devices into residential proxy nodes by deploying a SOCKS5 proxy over a WebSocket-based channel, which enables multiple connections. This feature, highlighted by Cleafy, adds an additional layer of threat to the malware’s capabilities.
Methods of Propagation
The spread of Mirax involves the use of Meta advertisements displayed on platforms such as Facebook, Instagram, and Messenger, reaching over 200,000 users with malicious content. The attackers employ websites that advertise IPTV services to redirect victims to malware droppers hosted on GitHub, requiring users to sideload APKs since these malicious applications are not available on Google Play.
The infection process necessitates victims to enable installations from unknown sources, triggering a complex multi-stage process designed to evade security measures.
Technical Aspects and Security Implications
The malicious payload is concealed using Golden Encryption, hiding code within an encrypted Dalvik Executable (.dex) file. The RC4 stream cipher, with a hardcoded key, is used to decrypt the code during installation, enhancing the malware’s stealth.
Mirax’s capabilities extend to overlay and notification injection for credential theft, real-time device control, application management, and data exfiltration. Additionally, it can establish a SOCKS5 proxy connection, channeling traffic through the device using multiple WebSocket connections.
Cleafy notes the novelty of integrating residential proxy functionality within a RAT, especially given its potential impact on sectors like banking. Although no direct exploits of this feature were observed, its presence raises concerns about future targeted attacks.
In related news, Gmail has introduced end-to-end encryption for enterprise Android and iOS users, while Microsoft has uncovered vulnerabilities affecting millions of Android crypto wallet users. Moreover, new malware, PromptSpy, leverages AI for persistence, highlighting the ongoing cybersecurity challenges faced by Android users.
