Mirax RAT Targeting Android Users in Europe

Summary

Mirax, a sophisticated remote access trojan distributed as malware-as-a-service (MaaS), is targeting Android users across Europe since March 2026. The threat is promoted to Russian-speaking affiliates via underground forums and distributed through Meta advertisements redirecting to IPTV app droppers. Beyond standard RAT capabilities (overlay injection, credential theft, device control), Mirax uniquely converts infected devices into residential proxy nodes using SOCKS5 proxies, creating a novel hybrid threat.

Full text

A new, sophisticated remote access trojan (RAT) has been targeting Android users across Europe, fraud management and prevention company Cleafy warns. Dubbed Mirax, the threat has been promoted on underground forums since December 2025 and has been used in multiple campaigns since March. The threat is distributed as malware-as-a-service (MaaS) to a small number of affiliates, mainly Russian-speaking threat actors, through tiered subscription plans. In addition to its RAT capabilities, Mirax can turn infected devices into residential proxy nodes by deploying a SOCKS5 proxy that implements multiplexing over the WebSocket-based channel, which supports multiple connections, Cleafy notes. For distribution, threat actors are promoting the malware’s dropper pages through Meta advertisements displayed on Facebook, Instagram, Messenger, and similar services. According to Cleafy, more than 200,000 users have been served the malicious ads. The miscreants use websites promoting IPTV application services to redirect to droppers hosted on GitHub and rely on APK sideloading for the malware’s execution, as none of the malicious apps are being distributed through Google Play.Advertisement. Scroll to continue reading. The victims are tricked into enabling installation from unknown sources to run the malicious IPTV application, which triggers a multi-stage infection process meant to bypass protections. The payload is packed using Golden Encryption (also known as Golden Crypt), hides the malicious code in an encrypted Dalvik Executable (.dex) file, and uses the RC4 stream cipher with a hardcoded cryptographic key to decrypt the code during installation. Mirax supports overlay and notification injection for credential theft and allows attackers to view the screen in real time, navigate and control the device, manage applications, and exfiltrate images and text. Additionally, it allows the operators to launch a SOCKS5 proxy connection to proxy traffic through the device, using two or three distinct WebSocket connections. “Beyond the rise of residential proxy in the context of IoT devices, the introduction of this functionality into a malware RAT like Mirax is a novelty that warrants attention. While the analysis did not reveal any use of this functionality, it is still valuable to consider the motivations behind adding it to a RAT and the implications for highly targeted sectors like banks and similar institutions,” Cleafy notes. Related: Gmail Brings End-to-End Encryption to Android and iOS for Enterprise Users Related: Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet Users Related: PromptSpy Android Malware Abuses Gemini AI at Runtime for Persistence Related: New Keenadu Android Malware Found on Thousands of Devices Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire SAP Patches Critical ABAP VulnerabilityTriad Nexus Evades Sanctions to Fuel CybercrimeGoogle Adds Rust DNS Parser to Pixel Phones for Better SecurityOrganizations Warned of Exploited Windows, Adobe Acrobat VulnerabilitiesFake Claude Website Distributes PlugX RATGmail Brings End-to-End Encryption to Android and iOS for Enterprise UsersJuniper Networks Patches Dozens of Junos OS VulnerabilitiesOrthanc DICOM Vulnerabilities Lead to Crashes, RCE Latest News Capsule Security Emerges From Stealth With $7 Million in Funding‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks100 Chrome Extensions Steal User Data, Create BackdoorCISO Conversations: Ross McKerchar, CISO at SophosTwo Vulnerabilities Patched in Ivanti Neurons for ITSM $10 Domain Could Have Handed Hackers 25k Endpoints, Including in OT and Gov NetworksTrump Urges Extending Foreign Surveillance Program as Some Lawmakers Push for US Privacy ProtectionsFortinet Patches Critical FortiSandbox Vulnerabilities Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveThe United States Department of War appointed David Vaughn as Technical Advisor for Data Infrastructure.Black Duck has named Dom Glavach as Chief Information Security Officer.Finite State has named Ann Miller as Vice President of Marketing.More People On The MoveExpert Insights The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Mirax RAT
• malware — Golden Encryption (Golden Crypt)

Entities