Back

Mirax Android RAT Transforms Infected Devices into Proxy Nodes

Severity: High (Score: 71.0)

Sources: Infosecurity-Magazine, www.cleafy.com, English.Varthabharati.In

Summary

Mirax, a newly identified Android Remote Access Trojan (RAT) and banking malware, has emerged as a significant threat, particularly in Spanish-speaking regions. It was first observed on underground forums in December 2025 and has been actively monitored since March 2026. Mirax operates under a restricted Malware-as-a-Service (MaaS) model, primarily targeting Russian-speaking affiliates. The malware's capabilities include turning infected devices into residential proxy nodes, allowing attackers to route malicious traffic through legitimate IP addresses. This functionality enhances the malware's monetization potential and expands its operational scope beyond financial theft. Distribution methods include fake IPTV applications and phishing websites, with over 200,000 accounts reportedly reached through Meta Ads. The malware can execute commands, monitor user activity, and deploy fake overlays to steal sensitive information. As Mirax continues to spread, its impact is expected to grow, prompting cybersecurity experts to issue warnings about its evolving tactics. Key Points: • Mirax combines RAT functionalities with residential proxy capabilities, enhancing its threat level. • The malware is distributed through phishing websites and fake applications, reaching over 200,000 accounts. • It operates under a restricted MaaS model, prioritizing access for trusted affiliates.

Key Entities

  • Malware (attack_type)
  • Phishing (attack_type)
  • Sports Streaming Campaign (campaign)
  • India (country)
  • Spain (country)
  • Financial (industry)
  • Albiriox (malware)
  • CraxsRAT (malware)
  • Mirax (malware)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • T1071.001 - Web Protocols (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1090 - Proxy (mitre_attack)
  • Android (platform)
  • GitHub (platform)
  • WebSocket (platform)
  • WebSockets (platform)
  • RC4 (tool)
  • Yamux (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed