Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaches 220,000 with Meta Ads

An emerging Android remote access trojan called Mirax actively targeted in Spanish-speaking countries, with campaigns reaching more than 220,000 accounts on Facebook, Instagram, Messenger, and Threads through the use of ads in Meta.

“Mirax includes advanced Remote Access Trojan (RAT) capabilities, allowing threat actors to fully communicate with vulnerable devices in real time,” said Italian anti-fraud company Cleafy.

“Besides traditional RAT behavior, Mirax improves its performance by turning infected devices into resident proxy nodes. Using SOCKS5 protocol support and Yamux replication, it establishes persistent proxy channels that allow attackers to route their traffic through the victim’s real IP address.”

Details of Mirax first surfaced last month when Outpost24’s KrakenLabs revealed that a threat actor named “Mirax Bot” was promoting a secret malware-as-a-service (MaaS) offering on underground platforms for $2,500 for a three-month subscription. Also available for $1,750 per month is a lighter variant that removes some features such as a proxy and the ability to bypass Google Play Protect using a crypter.

Like other Android malware, Mirax supports the ability to capture keystrokes, steal images, collect lock screen information, execute commands, navigate the user interface, and monitor user activity on the compromised device. It can also download HTML overlay pages from a command and control (C2) server to serve up legitimate phishing applications.

SOCKS proxy installation, on the other hand, is a little-known feature that distinguishes it from standard RAT behavior. A proxy botnet offers several advantages because it allows malicious actors to circumvent location-based restrictions, evade fraud detection systems, and conduct account fraud or transaction fraud under the guise of increased anonymity and legitimacy.

“Unlike typical MaaS offerings, Mirax is distributed in a highly controlled and exclusive model, limited to a small number of partner companies,” said researchers Alberto Giust, Alessandro Strino, and Federico Valentini. “Access appears to be prioritized for Russian-speaking players with strong reputations in underground communities, indicating a deliberate effort to maintain operational security and campaign success.”

Attack chains that distribute malware use Meta ads to promote dropper app web pages, tricking unsuspecting users into downloading them. Up to six ads have been seen actively promoting the streaming service with free access to sports and movies. Of these, five ads are targeted at Spanish users. One of the ads, which ran on April 6, 2026, reached 190,987 accounts.

URLs for drop-down apps use a check value to ensure they are accessible on mobile devices and prevent automatic scans from revealing their true color. Names of malicious apps are listed below –

• StreamTV (org.lgvvfj.pluscqpuj or org.dawme.secure5ny) – Dropper app
• Video Producer (org.yjeiwd.plusdc71 or org.azgaw.managergst1d) – Mirax

A notable feature of the campaign is the use of GitHub to host the downloaded APK files. In addition, the builder panel offers the ability to choose between two crypters – Virbox and Golden Crypt (also known as Golden Encryption) – for enhanced APK protection.

Once installed, the dropper instructs users to allow installations from unknown sources to be used by the malware. The final payload release process is a “complex, multi-stage operation” designed to bypass security analysis and automated sandboxing tools.

The malware, after being installed on the device, pretends to be a video playback program and tells the victim to allow accessibility services, thus allowing it to run in the background, display a false error message stating that installation failed, and provide fake overlays to hide malicious activities.

It also establishes multiple bi-directional C2 channels for processing and data filtering –

• WebSocket on port 8443, to manage remote access and execute remote commands.
• WebSocket on port 8444, to handle remote streaming and data output.
• WebSocket on port 8445 (or custom port), to set up a local proxy using SOCKS5.

“This convergence of RAT and proxy capabilities reflects a broader shift in the threat landscape,” Cleafy said. “While residential proxy exploitation has historically been associated with vulnerable IoT devices and low-cost Android hardware such as smart TVs, Mirax marks a new stage by embedding this functionality within a feature-rich banking trojan.”

“This method of monetization not only increases the monetization potential of each infection but also increases the scope of operations of attackers, who can now use vulnerable machines for both direct financial fraud and the infrastructure of cybercrime activities more widely.”

The disclosure comes as Breakglass Intelligence describes an Arabic-language Android RAT called ASO RAT that is distributed through hidden applications such as PDF readers and Syrian government applications.

“The platform provides the full capabilities of a compromised device – SMS blocking, camera access, GPS tracking, call logging, file extraction, and DDoS launch on victim devices,” the company said. “A multi-user panel with role-based access control suggests this works as a RAT-as-a-Service or supports a multi-user team.”

It is not yet known what the campaign’s ultimate goals are, but the apps’ Syria-themed lures (eg, SyriaDefenseMap and GovLens) suggest it may target people interested in Syrian military or administrative affairs as part of what is suspected to be a surveillance operation.