Key Findings

• Mirax, a new Android RAT, infected over 220,000 users primarily in Spanish-speaking regions through Meta platform advertisements

• The malware grants attackers full remote control of devices and converts them into SOCKS5 residential proxies for routing malicious traffic

• Distribution uses a multi-stage attack combining phishing sites, fake streaming apps, and GitHub-hosted droppers with strong obfuscation

• Mirax operates as an exclusive malware-as-a-service limited to trusted affiliates, representing a shift toward more controlled distribution models

• The malware uses sophisticated evasion techniques including RC4 and XOR encryption, Golden Encryption packing, and dynamic loading to avoid detection

Background

Mirax emerged as a newly identified Android remote access trojan and banking malware that gained rapid traction in the cybercriminal underground. First publicly promoted on forums on December 19, 2025, it caught the attention of Cleafy's Threat Intelligence team in March 2026 when coordinated campaigns targeting Spanish-speaking regions began scaling up. The malware represents a notable evolution in how mobile threats are being weaponized and distributed at enterprise scale.

Distribution Method

The attack chain begins with Meta advertisements on Facebook and Instagram that redirect victims to phishing sites posing as illegal sports streaming services. The sites specifically target mobile users and restrict access to non-mobile devices to avoid triggering security tools. Once users download what they believe is a streaming app, they're prompted to enable installation from unknown sources.

The actual malware is hosted on GitHub Releases as a dropper, frequently repackaged and updated to evade detection. Attackers sometimes reuse existing GitHub releases rather than creating new ones, making the infrastructure harder to track. The dropper unpacks its payload, applies heavy obfuscation, and establishes contact with command-and-control servers via WebSockets.

Technical Infection Process

Mirax employs a sophisticated two-stage infection mechanism. The initial dropper disguises itself as an IPTV application and contains an encrypted .dex file buried deep within the app structure using uncommon file paths. When executed, the dropper extracts and decrypts this payload using RC4 with a hardcoded key, revealing the actual malicious code.

The real malware is stored as another encrypted APK inside the dropper, decrypted via XOR before installation. In some cases, it downloads this payload remotely instead. The malware relies on advanced packers like Golden Encryption, which is widely promoted on underground forums and remains difficult for security researchers to detect compared to more documented options like Virbox.

Capabilities and Control

After installation, Mirax masquerades as a legitimate video application and requests Accessibility permissions. Once granted, these permissions allow the malware to operate entirely in the background, bypassing typical security controls. The malware displays fake error pages and uses UI overlays to steal credentials and maintain persistence.

The RAT capabilities are comprehensive. Attackers can control the screen in real time, steal data, manage installed applications, perform spyware functions, and exfiltrate information via WebSocket connections to command servers. The most distinctive feature is its ability to transform infected devices into SOCKS5 residential proxies, masking attacker activity and allowing them to conduct fraud, perform lateral movement through networks, or launch distributed denial-of-service attacks while appearing to originate from legitimate residential IP addresses.

Evolution of Mobile Malware Distribution

Mirax demonstrates a significant shift in how cybercriminals organize mobile malware campaigns. Rather than operating as an open malware-as-a-service available to any buyer, Mirax uses a highly controlled and exclusive distribution model limited to a small number of trusted affiliates. This approach reduces the risk of source code leaks, decreases detection likelihood, and allows the malware to remain operationally active for extended periods.

The campaign reflects growing trends in attack methodology: abusing legitimate platforms to distribute malware at scale, combining social engineering with advanced evasion techniques, and recognizing the value of residential proxy functionality. The fact that over 220,000 users were compromised demonstrates the effectiveness of this approach, even while operating under restricted distribution.

Sources

• https://securityaffairs.com/190842/uncategorized/mirax-malware-campaign-hits-220k-accounts-enables-full-remote-control.html

• https://x.com/hackplayers/status/2044384009950564646