A newly identified Android remote access trojan (RAT) called Mirax is actively targeting Spanish-speaking regions, reaching over 220,000 accounts on platforms such as Facebook, Instagram, Messenger, and Threads through advertisements on Meta. This malware is particularly notable for its advanced capabilities and unique distribution methods.
Features of the Mirax RAT
Mirax integrates sophisticated RAT functionalities, enabling cybercriminals to interact in real-time with compromised devices. According to Cleafy, an Italian fraud prevention firm, Mirax extends its capabilities by converting infected devices into residential proxy nodes. Utilizing the SOCKS5 protocol and Yamux multiplexing, it sets up persistent proxy channels that allow attackers to reroute traffic through the victim’s IP address.
The trojan’s details first surfaced last month when Outpost24’s KrakenLabs revealed that a threat actor known as “Mirax Bot” is promoting a private malware-as-a-service (MaaS) offering. The service is priced at $2,500 for a three-month subscription, with a lighter version available for $1,750 per month. This variant excludes certain features like proxy capabilities and Google Play Protect bypassing.
Distribution and Impact
Mirax supports various malicious activities typical of Android malware, such as capturing keystrokes, stealing photos, extracting lock screen information, executing commands, and monitoring user activity. It also dynamically fetches HTML overlay pages from a command-and-control (C2) server to steal credentials.
Unlike standard RATs, Mirax’s incorporation of a SOCKS proxy is a less common feature. This proxy network offers several advantages, such as bypassing geolocation restrictions, evading fraud detection, and facilitating account takeovers or transaction frauds with enhanced anonymity.
Campaign Strategy and Techniques
Mirax is distributed through a selective model, limited to a few affiliates, primarily Russian-speaking individuals with strong reputations in underground communities. The malware is spread via Meta ads promoting dropper app websites, deceiving users into downloading them. Notably, six ads have promoted a fake streaming service offering free live sports and movies, with five targeting Spanish users. One ad, launched on April 6, 2026, has reached 190,987 accounts.
The campaign uses GitHub to host malicious dropper APK files and offers options for APK protection via two crypters, Virbox, and Golden Crypt. Once installed, the dropper directs users to permit installations from unknown sources, initiating a complex, multi-stage payload extraction process designed to evade security analysis tools.
Conclusion and Future Implications
This convergence of RAT and proxy functionalities signifies a broader shift in the threat landscape, as noted by Cleafy. While proxy abuse has been linked to compromised IoT devices and low-cost Android hardware, Mirax introduces this feature within a full-fledged banking trojan. This approach not only enhances each infection’s monetization potential but also broadens the operational scope for attackers, enabling the use of compromised devices for both direct financial fraud and broader cybercrime activities.
The ongoing developments underscore the need for heightened vigilance and advanced security measures to counter such sophisticated threats. As cybercriminals continue to innovate, the cybersecurity community must remain proactive in detecting and mitigating emerging risks.
