Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Mirax RAT Threatens Android Users Across Europe

Mirax RAT Threatens Android Users Across Europe

Posted on April 15, 2026 By CWS

A newly identified remote access trojan (RAT), known as Mirax, is posing a significant threat to Android users throughout Europe, according to a recent warning from the fraud management company Cleafy.

Emergence and Distribution of Mirax

First appearing on underground forums in December 2025, Mirax has been actively used in multiple malicious campaigns since March. Offered as malware-as-a-service (MaaS) to a select group of affiliates, primarily Russian-speaking cybercriminals, the malware is available through subscription-based plans.

Mirax not only functions as a RAT but also converts infected devices into residential proxy nodes by deploying a SOCKS5 proxy over a WebSocket-based channel, which enables multiple connections. This feature, highlighted by Cleafy, adds an additional layer of threat to the malware’s capabilities.

Methods of Propagation

The spread of Mirax involves the use of Meta advertisements displayed on platforms such as Facebook, Instagram, and Messenger, reaching over 200,000 users with malicious content. The attackers employ websites that advertise IPTV services to redirect victims to malware droppers hosted on GitHub, requiring users to sideload APKs since these malicious applications are not available on Google Play.

The infection process necessitates victims to enable installations from unknown sources, triggering a complex multi-stage process designed to evade security measures.

Technical Aspects and Security Implications

The malicious payload is concealed using Golden Encryption, hiding code within an encrypted Dalvik Executable (.dex) file. The RC4 stream cipher, with a hardcoded key, is used to decrypt the code during installation, enhancing the malware’s stealth.

Mirax’s capabilities extend to overlay and notification injection for credential theft, real-time device control, application management, and data exfiltration. Additionally, it can establish a SOCKS5 proxy connection, channeling traffic through the device using multiple WebSocket connections.

Cleafy notes the novelty of integrating residential proxy functionality within a RAT, especially given its potential impact on sectors like banking. Although no direct exploits of this feature were observed, its presence raises concerns about future targeted attacks.

In related news, Gmail has introduced end-to-end encryption for enterprise Android and iOS users, while Microsoft has uncovered vulnerabilities affecting millions of Android crypto wallet users. Moreover, new malware, PromptSpy, leverages AI for persistence, highlighting the ongoing cybersecurity challenges faced by Android users.

Security Week News Tags:Android security, APK sideloading, Cleafy, credential theft, Cybercrime, Cybersecurity, Europe, fraud prevention, Golden Encryption, Malware, malware-as-a-service, Mirax RAT, remote access trojan, security threat, SOCKS5 proxy

Post navigation

Previous Post: Hackers Exploit Microsoft 365 Mailbox Rules for Email Interception
Next Post: AI Browsers Present New Security Risks with Prompt Injection

Related Posts

Mainline Health, Select Medical Each Disclose Data Breaches Impacting 100,000 People Mainline Health, Select Medical Each Disclose Data Breaches Impacting 100,000 People Security Week News
Chinese Cyber Threats Breach Global Telecom Systems Chinese Cyber Threats Breach Global Telecom Systems Security Week News
Apache Patches Critical Vulnerabilities in HTTP Server Apache Patches Critical Vulnerabilities in HTTP Server Security Week News
Firefox 145 and Chrome 142 Patch High-Severity Flaws in Latest Releases Firefox 145 and Chrome 142 Patch High-Severity Flaws in Latest Releases Security Week News
Cybersecurity M&A Roundup: 27 Deals Announced in August 2025 Cybersecurity M&A Roundup: 27 Deals Announced in August 2025 Security Week News
Microsoft Fixes 200 Flaws in June Patch Tuesday Microsoft Fixes 200 Flaws in June Patch Tuesday Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • CISA Alerts on Critical SharePoint Vulnerability Exploitation
  • Beacon Security Secures $13M Funding for Data Platform
  • GoSerpent Malware Targets Southeast Asian Governments
  • New ClickLock Malware Threatens macOS Security
  • ACR Stealer Exploits ClickFix to Access Sensitive Data

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • CISA Alerts on Critical SharePoint Vulnerability Exploitation
  • Beacon Security Secures $13M Funding for Data Platform
  • GoSerpent Malware Targets Southeast Asian Governments
  • New ClickLock Malware Threatens macOS Security
  • ACR Stealer Exploits ClickFix to Access Sensitive Data

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark