Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads

Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Ravie LakshmananApr 14, 2026Mobile Security / Surveillance A nascent Android remote access trojan called Mirax has been observed actively targeting Spanish-speaking countries, with campaigns reaching more than 220,000 accounts on Facebook, Instagram, Messenger, and Threads through advertisements on Meta. "Mirax integrates advanced Remote Access Trojan (RAT) capabilities, allowing threat actors to fully interact with compromised devices in real time," Italian online fraud prevention firm Cleafy said. "Beyond traditional RAT behavior, Mirax enhances its operational value by turning infected devices into residential proxy nodes. Leveraging SOCKS5 protocol support and Yamux multiplexing, it establishes persistent proxy channels that allow attackers to route their traffic through the victim's real IP address." Details of Mirax first emerged last month when Outpost24's KrakenLabs revealed that a threat actor going by the name "Mirax Bot" has been advertising a private malware-as-a-service (MaaS) offering on underground forums for $2,500 for a three-month subscription. Also available for $1,750 per month is a lightweight variant that removes certain features like the proxy and the ability to bypass Google Play Protect using a crypter. Like other Android malware, Mirax supports the ability to capture keystrokes, steal photos, gather lock screen details, run commands, navigate the user interface, and monitor user activity on the compromised device. It can also dynamically fetch HTML overlay pages from a command-and-control (C2) server to be rendered over legitimate applications for credential theft. The incorporation of a SOCKS proxy, on the other hand, is a relatively lesser-known feature that sets it apart from conventional RAT behavior. The proxy botnet offers several advantages in that it allows threat actors to get around geolocation-based restrictions, evade fraud detection systems, and conduct account takeovers or transaction fraud under the guise of increased anonymity and legitimacy. "Unlike typical MaaS offerings, Mirax is distributed through a highly controlled and exclusive model, limited to a small number of affiliates," researchers Alberto Giust, Alessandro Strino, and Federico Valentini said. "Access appears to be prioritized for Russian-speaking actors with established reputations in underground communities, indicating a deliberate effort to maintain operational security and campaign effectiveness." Attack chains distributing the malware use Meta ads to promote dropper app web pages, tricking unsuspecting users into downloading them. As many as six ads have been observed actively advertising a streaming service with free access to live sports and movies. Of these, five ads are directed against users in Spain. One of the ads, which started running on April 6, 2026, has a reach of 190,987 accounts. The dropper app URLs implement a number of checks to ensure that they are accessed from mobile devices and to prevent automated scans from revealing their true color. The names of the malicious apps are listed below - StreamTV (org.lgvvfj.pluscqpuj or org.dawme.secure5ny) - Dropper app Reproductor de video (org.yjeiwd.plusdc71 or org.azgaw.managergst1d) - Mirax A notable aspect of the campaign is the use of GitHub to host the malicious dropper APK files. In addition, the builder panel offers the ability to choose between two crypters – Virbox and Golden Crypt (aka Golden Encryption) – for enhanced APK protection. Once installed, the dropper instructs users to allow installation from unknown sources to deploy the malware. The process of extracting the final payload is a "sophisticated, multi-stage operation" that's designed to sidestep security analysis and automated sandboxing tools. The malware, after getting installed on the device, masquerades as a video playback utility and prompts the victim to enable accessibility services, thereby allowing it to run in the background, display a fake error message stating the installation was unsuccessful, and serve bogus overlays to conceal malicious activities. It also establishes multiple bidirectional C2 channels for tasking and data exfiltration - WebSocket on port 8443, to manage remote access and execute remote commands. WebSocket on port 8444, to manage remote streaming and data exfiltration. WebSocket on port 8445 (or a custom port), to set up the residential proxy using SOCKS5. "This convergence of RAT and proxy capabilities reflects a broader shift in the threat landscape," Cleafy said. "While residential proxy abuse has historically been associated with compromised IoT devices and low-cost Android hardware such as smart TVs, Mirax marks a new phase by embedding this functionality within a full-featured banking trojan." "This approach not only increases the monetization potential of each infection but also expands the operational scope of attackers, who can now leverage compromised devices for both direct financial fraud and as infrastructure for wider cybercriminal activities." The disclosure comes as Breakglass Intelligence detailed an Arabic-language Android RAT called ASO RAT that's distributed via apps disguised as PDF readers and Syrian government applications. "The platform provides full device compromise capabilities – SMS interception, camera access, GPS tracking, call logging, file exfiltration, and DDoS launching from victim devices," the company said. "A multi-user panel with role-based access control suggests this operates as a RAT-as-a-Service or supports a multi-operator team." It's currently not known what the exact end goals of the campaign are, but Syria-themed lures for the apps (e.g., SyriaDefenseMap and GovLens) suggest that it may be targeting individuals with an interest in Syrian military or governance matters as part of what's suspected to be a surveillance operation. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Android, cybersecurity, data theft, Malware, Malware-as-a-Service, mobile security, Remote Access Trojan, social engineering, Social media, surveillance Trending News Block the Prompt, Not the Work: The End of "Doctor No" New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems Load More ▼ Popular Resources Get Full Visibility into Vendor and Internal Risk in One Platform Learn How to Block Breached Passwords in Active Directory Before Attacks Secure Your AI Systems Across the Full Lifecycle of Risks [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls