Mirax Bot

The malware is distributed through attack chains that use Meta ads to promote dropper app web pages, tricking unsuspecting users into downloading them.

The malware is distributed through attack chains that use Meta ads to promote dropper app web pages, tricking unsuspecting users into downloading them.

An emerging remote access Trojan targeting Android devices in Spanish-speaking nations is propagating fraudulent advertisements as an initial access point on Meta-owned applications.

Mirax - also tracked as Mirax Bot - is capable of capturing keystrokes, stealing photos or data, including lock screen details, running commands and monitoring user activity.

After installation, a dropper deploys malware by prompting users to allow for installation from an 'unknown source,' resulting in a 'sophisticated, multi-stage operation' designed for evasion.

The malware masquerades behind video playback features, further prompting the victim to enable accessibility services that open the door to Mirax.

The malware masquerades behind video playback features, further prompting the victim to enable accessibility services that open the door to Mirax.

The malware masquerades behind video playback features, further prompting the victim to enable accessibility services that open the door to Mirax.

The malware masquerades behind video playback features, further prompting the victim to enable accessibility services that open the door to Mirax.

It uses overlay pages over legitimate apps to steal credentials or display notifications coming from apps.

Mirax - also tracked as Mirax Bot - is capable of capturing keystrokes, stealing photos or data, including lock screen details, running commands and monitoring user activity.

It uses overlay pages over legitimate apps to steal credentials or display notifications coming from apps.

It uses overlay pages over legitimate apps to steal credentials or display notifications coming from apps.

Mirax - also tracked as Mirax Bot - is capable of capturing keystrokes, stealing photos or data, including lock screen details, running commands and monitoring user activity.

The RAT is localized to Meta-operated platforms, 'relying on SOCKS5 protocol support and Yamux multiplexing' to establish proxy channels and uncover a victim's IP address.

Mirax and its advanced capabilities allow threat actors to interact with devices in real time, compromising and converting them into residential proxy nodes... relying on SOCKS5 protocol support and Yamux multiplexing to establish proxy channels.

Mirax and its advanced capabilities allow threat actors to interact with devices in real time, compromising and converting them into residential proxy nodes... relying on SOCKS5 protocol support and Yamux multiplexing to establish proxy channels

Mirax also utilizes GitHub as a malicious APK file dropper, offering two options of crypters - Virbox or Golden Crypt.