Mirax Android RAT: New Malware Turns 220,000 Devices into SOCKS5 Proxies via Meta Ads

TL;DR

A new Android Remote Access Trojan (RAT) named Mirax is targeting Spanish-speaking users through deceptive ads on Facebook and Instagram. Reaching over 220,000 accounts, the malware not only steals credentials via overlays but also transforms infected smartphones into residential SOCKS5 proxy nodes to help attackers bypass fraud detection.

A sophisticated new threat is emerging in the mobile landscape. Security researchers at the Italian fraud prevention firm Cleafy have identified a nascent Android Remote Access Trojan (RAT) dubbed Mirax.

While many RATs focus solely on data theft, Mirax distinguishes itself by turning compromised devices into a massive residential proxy botnet. By leveraging the victim’s legitimate IP address, threat actors can conduct fraudulent transactions and account takeovers while remaining virtually invisible to standard geolocation and fraud-detection systems.

Global Reach Through Meta Advertising

The Mirax campaign has achieved significant scale by exploiting Meta’s advertising ecosystem. Attackers have been observed running ads across Facebook, Instagram, Messenger, and Threads.

According to researchers, the campaign has reached more than 220,000 accounts, with a heavy focus on Spanish-speaking countries. One specific ad promoting a streaming service for live sports and movies—active as of April 6, 2026—alone reached nearly 191,000 users.

The attack chain typically follows this path:

Malicious Ads: Users see ads for "StreamTV" or "Reproductor de video" offering free movies and sports.
Deceptive Landing Pages: The ads link to web pages that implement device checks to ensure the visitor is on a mobile device, a tactic used to evade automated security scanners.
GitHub Hosting: The malicious dropper APK files are often hosted on GitHub to appear legitimate.
Social Engineering: Once the dropper is installed, it prompts the user to allow "installation from unknown sources" to deploy the final Mirax payload.

Beyond the Typical RAT: SOCKS5 Capabilities

While Mirax includes standard RAT features—such as keylogging, photo theft, screen monitoring, and the ability to run remote commands—its most potent feature is its proxy integration.

Using the SOCKS5 protocol and Yamux multiplexing, Mirax establishes persistent proxy channels. This allows the "Mirax Bot" operators to route their own malicious traffic through the victim’s device.

Why this matters: When an attacker tries to log into a stolen bank account using the victim's own IP address and location, security systems are far less likely to flag the activity as suspicious.

Technical Infrastructure

The malware establishes three distinct bidirectional Command-and-Control (C2) channels via WebSockets:

Port 8443: Dedicated to remote access and command execution.
Port 8444: Used for remote streaming and data exfiltration.
Port 8445: Reserved specifically for setting up the residential SOCKS5 proxy.

Malware-as-a-Service (MaaS) Pricing

Mirax isn't just a tool; it's a business. Details first surfaced via Outpost24’s KrakenLabs, which discovered the "Mirax Bot" threat actor advertising the malware on underground forums.

The malware is offered under a highly controlled "Malware-as-a-Service" model:

Full Suite: $2,500 for a three-month subscription.
Lightweight Variant: $1,750 per month (excludes proxy features and Google Play Protect bypass).

Researchers noted that the developers prioritize Russian-speaking affiliates with established reputations, suggesting a focused effort to maintain operational security and prevent the malware from being leaked or analyzed too quickly.

Evasion and Persistence

Once installed, Mirax masquerades as a video playback utility. It aggressively prompts the user to enable Accessibility Services. If granted, the malware can:

Run silently in the background.
Display fake error messages to make the user think the installation failed.
Render dynamic HTML overlay pages over legitimate banking or social media apps to steal credentials.

To further protect the APKs from detection, the Mirax builder allows attackers to choose between two different "crypters"—Virbox and Golden Crypt—which encrypt the malicious code to bypass Google Play Protect and other mobile security suites.

A Growing Trend in Mobile Threats

The discovery of Mirax coincides with reports of other regional threats, such as ASO RAT, an Arabic-language malware targeting Syrian users via fake PDF readers.

However, Cleafy researchers warn that Mirax represents a "new phase" in the threat landscape. By embedding proxy functionality into a full-featured banking trojan, threat actors are no longer just stealing data—they are turning every infected phone into a piece of their own criminal infrastructure.