Mirax Android RAT: A New Threat Transforming Devices into Proxy Nodes via Meta Ads
A new Android Remote Access Trojan (RAT) named Mirax has emerged, actively targeting Spanish-speaking regions. This malware has reached over 220,000 accounts across platforms like Facebook, Instagram, Messenger, and Threads through advertisements on Meta.
Mirax is not just a typical RAT; it offers advanced capabilities that allow cybercriminals to interact with compromised devices in real-time. Beyond standard RAT functionalities, Mirax enhances its utility by converting infected devices into residential proxy nodes. By leveraging the SOCKS5 protocol and Yamux multiplexing, it establishes persistent proxy channels, enabling attackers to route their traffic through the victim’s real IP address.
The existence of Mirax was first brought to light last month when Outpost24’s KrakenLabs reported that a threat actor named Mirax Bot was promoting a private malware-as-a-service (MaaS) on underground forums. The service is priced at $2,500 for a three-month subscription. A lighter version, which omits features like the proxy and the ability to bypass Google Play Protect using a crypter, is available for $1,750 per month.
Mirax’s capabilities are extensive. It can capture keystrokes, steal photos, gather lock screen details, execute commands, navigate the user interface, and monitor user activity on the infected device. Additionally, it can dynamically fetch HTML overlay pages from a command-and-control (C2) server to be displayed over legitimate applications, facilitating credential theft.
The inclusion of a SOCKS proxy sets Mirax apart from conventional RATs. This feature allows cybercriminals to bypass geolocation-based restrictions, evade fraud detection systems, and conduct account takeovers or transaction frauds while maintaining anonymity and appearing legitimate.
Unlike typical MaaS offerings, Mirax is distributed through a highly controlled and exclusive model, limited to a small number of affiliates. Access appears to be prioritized for Russian-speaking actors with established reputations in underground communities, indicating a deliberate effort to maintain operational security and campaign effectiveness.
The malware is disseminated through Meta ads that promote dropper app web pages, deceiving users into downloading them. Six such ads have been identified, advertising a streaming service offering free access to live sports and movies. Five of these ads target users in Spain, with one ad, launched on April 6, 2026, reaching 190,987 accounts.
The dropper app URLs incorporate several checks to ensure they are accessed from mobile devices and to prevent automated scans from detecting their malicious nature. The malicious apps identified include:
– StreamTV (org.lgvvfj.pluscqpuj or org.dawme.secure5ny) – Dropper app
– Reproductor de video (org.yjeiwd.plusdc71 or org.azgaw.managergst1d) – Mirax
A notable aspect of this campaign is the use of GitHub to host the malicious dropper APK files. The builder panel also offers the option to choose between two crypters—Virbox and Golden Crypt (also known as Golden Encryption)—for enhanced APK protection.
Once installed, the dropper prompts users to allow installation from unknown sources to deploy the malware. The extraction of the final payload is a sophisticated, multi-stage operation designed to evade security analysis and automated sandboxing tools.
After installation, the malware masquerades as a video playback utility and prompts the victim to enable accessibility services. This allows it to run in the background, display a fake error message stating the installation was unsuccessful, and serve bogus overlays to conceal its malicious activities.
Mirax establishes multiple bidirectional C2 channels for tasking and data exfiltration:
– WebSocket on port 8443, to manage remote access and execute remote commands.
– WebSocket on port 8444, to manage remote streaming and data exfiltration.
– WebSocket on port 8445 (or a custom port), to set up the residential proxy using SOCKS5.
This convergence of RAT and proxy capabilities reflects a broader shift in the threat landscape. While residential proxy abuse has historically been associated with compromised IoT devices and low-cost Android hardware such as smart TVs, Mirax marks a new phase by embedding this functionality within a full-featured banking trojan.
This approach not only increases the monetization potential of each infection but also expands the operational scope of attackers, who can now leverage compromised devices for both direct financial fraud and as infrastructure for wider cybercriminal activities.
The disclosure of Mirax comes as Breakglass Intelligence detailed an Arabic-language Android RAT called ASO RAT, which is distributed via apps disguised as PDF readers and Syrian government applications.
The platform provides full device compromise capabilities—SMS interception, camera access, GPS tracking, call logging, file exfiltration, and DDoS launching from victim devices. A multi-user panel with role-based access control suggests this operates as a RAT-as-a-Service or supports a multi-operator team.
While the exact objectives of the campaign remain unclear, the use of Syria-themed lures for the apps (e.g., SyriaDefenseMap and GovLens) suggests that it may be targeting individuals with an interest in Syrian military or governance matters as part of a suspected surveillance operation.
