Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Oracle E-Business Suite CVE-2024-21094 exploited, exposing 900+ instances
July 2, 2026
Fake VLC Installer Delivers ValleyRAT Malware
July 2, 2026
Microsoft Outlook Bug Removes Copilot Button for Windows Users
July 2, 2026
Home/Threats/Mirax Android RAT Converts Infected Phones into Residential Proxy Nodes
Threats

Mirax Android RAT Converts Infected Phones into Residential Proxy Nodes

Key Takeaways Mirax, a novel Android Remote Access Trojan (RAT), has been observed in underground forums since late 2025. The malware not only steals banking credentials but also transforms infected...

Emy Elsamnoudy
Emy Elsamnoudy
April 14, 2026 4 Min Read
28 0

Key Takeaways

  • Mirax, a novel Android Remote Access Trojan (RAT), has been observed in underground forums since late 2025.
  • The malware not only steals banking credentials but also transforms infected Android devices into residential proxy nodes, allowing attackers to route malicious traffic through legitimate user IP addresses.
  • Distributed as a Malware-as-a-Service (MaaS) to a restricted group of primarily Russian-speaking affiliates, Mirax campaigns have already reached over 200,000 accounts via paid Meta advertisements.
  • The infection chain typically begins with social media ads leading to phishing sites that mimic streaming services, tricking users into sideloading the malware.
  • The residential proxy functionality enables attackers to bypass geolocation, evade fraud detection, and execute various attacks appearing as regular home users.

Mirax Android RAT: A New Threat Turning Phones into Proxy Nodes

A sophisticated Android Remote Access Trojan (RAT) named Mirax has emerged in cybercriminal circles, posing a significant threat to mobile users across Europe and beyond. First documented in late 2025, this malware distinguishes itself from typical banking trojans by its dual functionality: it is designed to exfiltrate banking credentials while simultaneously converting compromised smartphones into residential proxy nodes. This innovative approach allows threat actors to route illicit network traffic through a victim’s legitimate IP address, significantly complicating detection and attribution, as detailed in a recent analysis.

Table Of Content

  • Key Takeaways
  • Mirax Android RAT: A New Threat Turning Phones into Proxy Nodes
  • Malware-as-a-Service and Controlled Distribution
  • Infection Vector and Stealth Mechanisms
  • The Residential Proxy Mechanism
  • What You Should Do

The development marks a notable evolution in mobile malware design and monetization strategies. Rather than solely focusing on direct financial theft, Mirax creates an infrastructure for further malicious activities, leveraging the victim’s device and internet connection.

Malware-as-a-Service and Controlled Distribution

Mirax operates as a Malware-as-a-Service (MaaS) offering, rented to a select group of criminal affiliates who launch independent campaigns. Unusually for open-market MaaS tools, access to Mirax is highly restricted, with preference given to trusted Russian-speaking actors within the cybercrime underground. This controlled distribution strategy suggests an intentional effort by the developers to maintain a low profile, thereby prolonging the malware’s operational lifespan and reducing the likelihood of early discovery by cybersecurity researchers.

Researchers at Cleafy began actively tracking Mirax in March 2026, after identifying multiple campaigns targeting Spanish-speaking users. Their investigation traced the malware’s initial appearance on underground forums back to December 19, 2025. Alarmingly, campaigns leveraging Mirax had already reached over 200,000 accounts through paid advertisements on Meta platforms, including Facebook and Instagram, demonstrating the rapid and aggressive deployment by its operators.

Infection Vector and Stealth Mechanisms

The infection process typically commences with deceptive social media advertisements. These ads lure potential victims to phishing websites that impersonate popular IPTV or illicit sports streaming services. Since such applications are not available on the Google Play Store, users are often predisposed to sideloading apps from unofficial sources, making them more susceptible to this social engineering tactic.

The dropper files for Mirax are hosted on GitHub’s Releases page. To evade hash-based detection tools, these files are updated daily with new package hashes, even though the underlying application content remains unchanged. Once downloaded and installed, the dropper silently decrypts and delivers the final malware payload onto the device.

Following installation, Mirax masquerades as a video playback utility and immediately requests Accessibility Services permissions. Upon receiving these critical permissions, the malware operates stealthily in the background. To further obscure its presence, it displays a fake error page to the user, creating the impression that the installation failed to complete, thus deterring suspicion.

The Residential Proxy Mechanism

One of Mirax’s most concerning features is its integrated residential proxy capability, a functionality that significantly expands its utility beyond conventional banking trojans. The malware establishes a persistent proxy tunnel between the infected device and an attacker-controlled relay server, utilizing the SOCKS5 protocol and Yamux multiplexing over WebSocket channels.

This sophisticated mechanism allows threat actors to route their internet traffic through the victim’s genuine residential IP address. From the perspective of target systems, this traffic appears to originate from an ordinary home user, rather than from known malicious infrastructure.

The implications of this proxy functionality are substantial. Attackers can leverage compromised devices to bypass geolocation restrictions, circumvent anti-fraud systems, and conduct various illicit activities such as account takeovers, fraudulent transactions, and password spraying. Financial institutions and online platforms that rely on IP-based fraud detection are particularly vulnerable to this method. Cleafy researchers also highlighted that Mirax’s proxy module can activate even if the user denies Accessibility Services, albeit with reduced functionality. This design choice underscores a sophisticated monetization strategy, ensuring that attackers can still derive value from partially compromised devices.

What You Should Do

  • Avoid Sideloading Apps: Refrain from downloading and installing applications from unofficial sources, especially those advertised on social media platforms. Always use the official Google Play Store for Android app downloads.
  • Exercise Caution with Social Media Ads: Be highly skeptical of advertisements on Facebook, Instagram, or other social media sites promoting “free” streaming services or other enticing but unusual offers.
  • Review App Permissions: Regularly check the permissions granted to applications on your Android device, particularly “Accessibility Services.” Revoke permissions for any unfamiliar or suspicious apps.
  • Use Reputable Antivirus Software: Install and maintain up-to-date mobile antivirus or security software on your Android device to detect and prevent malware infections.
  • Keep Software Updated: Ensure your Android operating system and all installed applications are regularly updated to patch known vulnerabilities.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

PlugX USB Worm Spreads Globally via DLL Sideloading

Next Post

Critical ShowDoc RCE Vulnerability CVE-2024-XXXX Actively Exploited

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
ValleyRAT Malware Uses Malicious VLC DLL to Attack Systems
July 2, 2026
Cisco Catalyst Center Vulnerability Allows Remote Attackers to Read Arbitrary Files
July 2, 2026
Mapbox Flaw Lets Hackers Target Vulnerability Researchers with Python RAT
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us