Ethical Hacking News
Mirax, a new Android RAT, spread via Meta ads, infected 220,000 users and turns devices into SOCKS5 proxies, giving attackers full remote control. The malware is sold as malware-as-a-service, and shows how mobile threats are evolving in scale and sophistication.
Mirax is a highly controlled Android RAT malware that targets primarily Spanish-speaking regions.The malware distributes itself through a multi-stage campaign using Meta ads on platforms like Facebook and Instagram.Mirax uses droppers hosted on GitHub Releases, frequently updated to evade security checks.The malware poses as an IPTV app and tricks users into enabling installation from unknown sources.Mirax offers full RAT capabilities, including screen control, data theft, and spyware functions.The malware can turn infected devices into SOCKS5 residential proxies, masking attacker activity.Attackers use legitimate platforms like Meta ads to distribute malicious apps and evade detection.
The cyber threat landscape continues to evolve, and a recent campaign by a sophisticated Android Remote Access Trojan (RAT) called Mirax has left security experts buzzing. The malware, which was first identified in December 2025, has been actively monitored since March 2026, when multiple campaigns targeting primarily Spanish-speaking regions were observed.
Mirax is a highly controlled and exclusive model of Android RAT, limited to a small number of affiliates. Unlike typical MaaS offerings, Mirax distributes itself through a multi-stage campaign using Meta ads on platforms like Facebook and Instagram to lure users into downloading malicious apps. Victims are redirected to phishing sites offering fake services, such as illegal sports streaming apps, exploiting users' trust to sideload APKs.
The malware is delivered via droppers hosted on GitHub Releases, frequently updated and repacked to evade security checks. Once installed, the dropper unpacks the payload, applies strong obfuscation, and connects via WebSockets. Attackers also reuse existing GitHub releases instead of creating new ones, making detection harder.
Mirax is a two-stage infection chain with a dropper designed to hide the real malware and its permissions. The malicious code is disguised as an IPTV app and tricks users into enabling installation from unknown sources. The dropper contains an encrypted .dex file hidden deep in the app structure, using obfuscation and uncommon paths to evade analysis.
Once executed, it extracts and decrypts the payload using RC4 with a hardcoded key, revealing the malicious code. The final payload is another encrypted APK stored inside the app, decrypted via XOR and then installed. In some cases, it could also be downloaded remotely. Mirax relies on packers like Golden Encryption to avoid detection and uses dynamic loading to stay hidden.
After installation, the malware poses as a video app and requests Accessibility permissions. Once granted, it runs in the background, displays fake error pages, and uses overlays to bypass security controls and maintain persistence. With these permissions, Mirax runs silently, using overlays and fake pages to steal credentials and bypass protections.
It offers full RAT capabilities, including screen control, data theft, app management, and spyware functions. A key feature of Mirax is its ability to turn infected devices into SOCKS5 residential proxies, masking attacker activity and enabling broader attacks like fraud, lateral movement, and DDoS.
Mirax highlights the evolution of Android malware, shifting from broad malware-as-a-service to a more restricted "private MaaS" model. By limiting access to trusted actors, attackers reduce the risk of leaks and detection. This approach allows the malware to operate more stealthily and remain active for longer periods without attracting attention.
Attackers abuse trusted platforms to spread malware at scale, using evasion tricks to bypass detection and reach hundreds of thousands of users quickly. The use of legitimate platforms like Meta ads to distribute malicious apps is a new tactic that has proven effective in spreading Mirax.
The introduction of SOCKS5 residential proxy functionality into an Android RAT is groundbreaking for several reasons. Firstly, malware developers recognize the profitability of residential proxies, as they can obscure the origin IP address, making it appear to originate from legitimate subnets. Secondly, a residential proxy application needs fewer permissions than a Remote Access Trojan (RAT), allowing the threat actor to deploy it even if the full infection process is incomplete.
Consequently, the actor avoids losing these devices entirely and can maintain their inclusion in the botnet. The Mirax campaign reflects a growing trend of abusing legitimate platforms, combining social engineering, evasive techniques, and scalable distribution methods.
The Mirax malware campaign has already reached over 200,000 users, enabling full remote control over infected devices. The attack highlights the importance of staying vigilant and up-to-date with security patches and updates to prevent falling victim to such sophisticated threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Mirax-Malware-Campaign-A-Sophisticated-Android-RAT-with-Evasive-Capabilities-ehn.shtml
https://securityaffairs.com/190842/uncategorized/mirax-malware-campaign-hits-220k-accounts-enables-full-remote-control.html
Published: Wed Apr 15 07:30:45 2026 by llama3.2 3B Q4_K_M
