An earlier Android remote access Trojan called Mirax has been observed actively targeting Spanish-speaking countries, with campaigns reaching over 220,000 accounts on Facebook, Instagram, Messenger, and Threads through ads on Meta.
Clafy, an Italian online fraud prevention company, said: “Mirax integrates advanced remote access Trojan (RAT) capabilities, allowing attackers full interaction with compromised devices in real-time.”
“Beyond the operation of traditional RATs, Mirax increases its operational value by turning infected devices into residential proxy nodes. It leverages support for the SOCKS5 protocol and Yamux multiplexing to establish a persistent proxy channel that allows attackers to route traffic through the victim’s real IP address.”
Details about Mirax first emerged last month when Outpost24’s KrakenLabs revealed that a threat actor named “Mirax Bot” was advertising a private malware-as-a-service (MaaS) service on underground forums for $2,500 for a three-month subscription. A lightweight version that removes certain features, such as the ability to bypass Google Play Protect using proxies and crypters, is also available for $1,750 per month.
Like other Android malware, Mirax supports the ability to capture keystrokes, steal photos, collect lock screen details, execute commands, manipulate the user interface, and monitor user activity on compromised devices. It can also dynamically fetch HTML overlay pages from command and control (C2) servers and render them on legitimate applications to prevent credential theft.
Incorporating a SOCKS proxy, on the other hand, is a relatively unknown feature that differs from traditional RAT behavior. Proxy botnets offer several advantages in that they allow threat actors to circumvent location-based restrictions, evade fraud detection systems, and perform account takeover and transaction fraud under the guise of anonymity and increased legitimacy.
“Unlike typical MaaS services, Mirax is distributed through a highly controlled and proprietary model limited to a small number of affiliates,” said researchers Alberto Giust, Alessandro Strino and Federico Valentini. “Access to well-established Russian-speaking actors in the underground community appears to have been prioritized, indicating a deliberate effort to maintain operational security and campaign effectiveness.”
Attack chains distributing malware use meta ads to promote the dropper app’s webpage and trick unsuspecting users into downloading it. As many as six ads were observed aggressively promoting streaming services offering free access to live sports and movies. Five of these ads are targeted to users in Spain. One of the ads started running on April 6, 2026 and reached 190,987 accounts.
Several checks have been implemented on the dropper app URL to ensure it is being accessed from a mobile device and to ensure that automated scanning does not reveal true colors. The names of the malicious apps are:
StreamTV (org.lgvvfj.pluscqpuj or org.dawme.secure5ny) – Dropper App Video Player (org.yjeiwd.plusdc71 or org.azgaw.managergst1d) – Mirax
What is notable about this campaign is the use of GitHub to host the malicious dropper APK file. Additionally, the builder panel also offers the ability to choose between two crypters for better APK protection: Virbox and Golden Crypt (also known as Golden Encryption).
Once installed, the dropper prompts the user to allow installation from unknown sources in order to deploy the malware. The process to extract the final payload is a “sophisticated multi-step operation” designed to evade security analysis and automated sandboxing tools.
Once installed on a device, the malware disguises itself as a video playback utility and prompts victims to enable accessibility services. This allows it to run in the background, display fake error messages indicating installation failures, and display fake overlays to hide malicious activity.
It also establishes multiple bidirectional C2 channels for task processing and data exfiltration.
WebSocket on port 8443. Manage remote access and run remote commands. WebSocket on port 8444. Manage remote streaming and data leakage. WebSocket on port 8445 (or a custom port). Configure a resident proxy using SOCKS5.
“This integration of RAT and proxy capabilities reflects broader changes in the threat landscape,” Clafy said. “Residential proxy abuse has traditionally been associated with the compromise of low-cost Android hardware such as IoT devices and smart TVs, but Mirax takes this functionality to a new level by incorporating this functionality into a full-featured banking Trojan.”
“This approach not only increases the monetization potential of each infection, but also expands the attacker’s reach, making compromised devices available for both direct financial fraud and as infrastructure for broader cybercrime operations.”
The disclosure comes as Breakglass Intelligence details an Arabic Android RAT called ASO RAT that is distributed via PDF readers and apps masquerading as Syrian government applications.
“The platform provides complete capabilities to compromise devices, including SMS interception, camera access, GPS tracking, call logging, file extraction, and DDoS launches from victim devices,” the company said. “A multi-user panel with role-based access control suggests this will operate as a RAT-as-a-Service or support multi-operator teams.”
Although the exact end goal of the campaign is currently unknown, the lure of Syria-themed apps (e.g. Syria DefenseMap and GovLens) suggests that it may be targeting individuals with an interest in Syria’s military and governance issues as part of what appears to be a surveillance operation.
Source link
