Mirax Bot

Mirax Bot is the name used by a threat actor advertising a private malware-as-a-service offering for the Android malware Mirax on underground forums. Outpost24’s KrakenLabs reported the actor offered the full Mirax MaaS package for $2,500 for a three-month subscription, with a lighter variant offered for $1,750 per month. Access to the service was described as highly controlled and exclusive, reportedly prioritizing Russian-speaking actors with established underground reputations. The Mirax malware is an Android remote access trojan with integrated residential proxy functionality. Reported capabilities include real-time interaction with compromised devices, keystroke capture, photo theft, lock-screen detail collection, command execution, user-interface navigation, user activity monitoring, and dynamic HTML overlay delivery for credential theft from legitimate applications. Mirax can also convert infected Android devices into residential proxy nodes using SOCKS5 and Yamux-based multiplexing, enabling operators to route traffic through victims’ real IP addresses. Researchers reported active Mirax campaigns primarily targeting Spanish-speaking countries through Meta advertisements across Facebook, Instagram, Messenger, and Threads, using fake streaming-service lures and GitHub-hosted dropper APKs. The infection chain uses mobile-aware landing pages, attempts to block automated scanning, and relies on a multi-stage installation process in which victims are prompted to enable installation from unknown sources and accessibility services. Mirax then communicates over multiple WebSocket command-and-control channels, including port 8443 for remote access and command execution, port 8444 for remote streaming and data exfiltration, and port 8445 or a custom port for SOCKS5 residential proxying. Known alias: mirax_bot.