Mirax RAT Targeting Android Users in Europe

A new, sophisticated remote access trojan (RAT) has been targeting Android users across Europe, fraud management and prevention company Cleafy warns. Dubbed Mirax, the threat has been promoted on underground forums since December 2025 and has been used in multiple campaigns since March. The threat is distributed as malware-as-a-service (MaaS) to a small number of affiliates, mainly Russian-speaking threat actors, through tiered subscription plans. In addition to its RAT capabilities, Mirax can turn infected devices into residential proxy nodes by deploying a SOCKS5 proxy that implements multiplexing over the WebSocket-based channel, which supports multiple connections, Cleafy notes. For distribution, threat actors are promoting the malware’s dropper pages through Meta advertisements displayed on Facebook, Instagram, Messenger, and similar services. According to Cleafy, more than 200,000 users have been served the malicious ads. The miscreants use websites promoting IPTV application services to redirect to droppers hosted on GitHub and rely on APK sideloading for the malware’s execution, as none of the malicious apps are being distributed through Google Play. The victims are tricked into enabling installation from unknown sources to run the malicious IPTV application, which triggers a multi-stage infection process meant to bypass protections. The payload is packed using Golden Encryption (also known as Golden Crypt), hides the malicious code in an encrypted Dalvik Executable (.dex) file, and uses the RC4 stream cipher with a hardcoded cryptographic key to decrypt the code during installation. Mirax supports overlay and notification injection for credential theft and allows attackers to view the screen in real time, navigate and control the device, manage applications, and exfiltrate images and text. Additionally, it allows the operators to launch a SOCKS5 proxy connection to proxy traffic through the device, using two or three distinct WebSocket connections. “Beyond the rise of residential proxy in the context of IoT devices, the introduction of this functionality into a malware RAT like Mirax is a novelty that warrants attention. While the analysis did not reveal any use of this functionality, it is still valuable to consider the motivations behind adding it to a RAT and the implications for highly targeted sectors like banks and similar institutions,” Cleafy notes. Related: Gmail Brings End-to-End Encryption to Android and iOS for Enterprise Users Related: Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet Users Related: PromptSpy Android Malware Abuses Gemini AI at Runtime for Persistence Related: New Keenadu Android Malware Found on Thousands of Devices WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Fortinet Patches Critical FortiSandbox Vulnerabilities SAP Patches Critical ABAP Vulnerability Triad Nexus Evades Sanctions to Fuel Cybercrime Google Adds Rust DNS Parser to Pixel Phones for Better Security Organizations Warned of Exploited Windows, Adobe Acrobat Vulnerabilities Fake Claude Website Distributes PlugX RAT Gmail Brings End-to-End Encryption to Android and iOS for Enterprise Users Juniper Networks Patches Dozens of Junos OS Vulnerabilities Latest News Exploited Vulnerability Exposes Nginx Servers to Hacking Capsule Security Emerges From Stealth With $7 Million in Funding ‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks 100 Chrome Extensions Steal User Data, Create Backdoor CISO Conversations: Ross McKerchar, CISO at Sophos Two Vulnerabilities Patched in Ivanti Neurons for ITSM  $10 Domain Could Have Handed Hackers 25k Endpoints, Including in OT and Gov Networks Trump Urges Extending Foreign Surveillance Program as Some Lawmakers Push for US Privacy Protections Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move The United States Department of War appointed David Vaughn as Technical Advisor for Data Infrastructure. Black Duck has named Dom Glavach as Chief Information Security Officer. Finite State has named Ann Miller as Vice President of Marketing. More People On The Move Expert Insights The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Email