Mirax
Mirax is an Android remote access trojan (RAT) and banking malware offered as a private malware-as-a-service (MaaS) platform. Reporting states it has circulated on underground forums since December 19, 2025, with access restricted to a small number of trusted affiliates, reportedly favoring Russian-speaking actors. It has been advertised as “Mirax Bot,” including pricing such as $2,500 for a three-month subscription and a lighter variant at $1,750 per month.
Mirax has been observed targeting primarily Spanish-speaking users and countries, with campaigns distributed through malicious advertisements on Meta platforms including Facebook, Instagram, Messenger, and Threads. Multiple reports state these campaigns reached more than 200,000 accounts, with some citing over 220,000 accounts. Infection chains use social-engineering lures themed as IPTV, streaming, or illegal sports-streaming services. Victims are redirected to phishing sites that check for mobile devices and then deliver Android dropper APKs, often hosted on GitHub Releases. Observed lure/app names include StreamTV and Reproductor de video.
The malware uses a multi-stage infection chain designed to evade analysis. The dropper masquerades as an IPTV app, prompts users to enable installation from unknown sources, and hides an encrypted .dex payload inside the APK. The hidden .dex is decrypted with RC4 using a hardcoded key, then used to extract and install a final encrypted APK stored in res/raw and decrypted via XOR with a hardcoded key. Some reporting notes an IMPLANT_DOWNLOAD_URL configuration option for remote payload delivery, although this was not active in analyzed campaigns. Mirax samples were described as using strong obfuscation, dynamic .dex loading, deeply nested paths with uncommon characters, and packers such as Golden Encryption/Golden Crypt; builder options reportedly included Virbox and Golden Crypt.
After installation, Mirax masquerades as a video playback utility and prompts the victim to grant Accessibility Services. It uses fake error pages, custom HTML pages, and black overlays to conceal activity, bypass security controls, and maintain persistence. Mirax provides full RAT functionality, including real-time remote control, screen monitoring/capture, VNC-style control, Accessibility-based UI navigation, keystroke capture, command execution, app management, user activity monitoring, photo theft, lock-screen detail collection, spyware functions, credential harvesting, and broader data exfiltration. It can inject malicious HTML/JavaScript overlays over legitimate applications and dynamically fetch overlay pages from command-and-control infrastructure to steal credentials and facilitate unauthorized transactions.
Mirax communicates with command-and-control servers over WebSockets for real-time control and exfiltration. One report specifies bidirectional WebSocket channels on port 8443 for remote access and command execution, port 8444 for remote streaming and data exfiltration, and port 8445 or a custom port for SOCKS5 proxying. A notable capability is conversion of infected Android devices into residential proxy nodes. Mirax supports SOCKS5 proxying and Yamux multiplexing over WebSocket channels, allowing attacker traffic to be routed through victims’ residential IP addresses. Reporting assesses this capability as useful for fraud, account takeover, transaction fraud, password spraying, lateral movement, DDoS, anonymized attacks, and evasion of geolocation- or IP-based fraud detection. One source states the proxy module can still activate even if the victim denies Accessibility permissions.
Mirax has been described as actively targeting Android devices across Europe and Spanish-speaking regions. It is also noted in broader reporting on the Brazilian Android threat landscape as a MaaS family targeting PIX payment infrastructure. No high-confidence hashes, domains, or IP indicators were provided in the supplied content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A nascent Android remote access trojan called Mirax has been observed actively targeting Spanish-speaking countries, with campaigns reaching more than 220,000 accounts on Facebook, Instagram, Messenger, and Threads through advertisements on Meta.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Initial Access
3 techniques
Initial Access
The malware is distributed through attack chains that use Meta ads to promote dropper app web pages, tricking unsuspecting users into downloading them.
Execution
3 techniques
Execution
...including screen monitoring, credential harvesting, and remote command execution.
Persistence
1 technique
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
Stealth
5 techniques
Stealth
The dropper contains an encrypted .dex file hidden deep in the app structure, using obfuscation and uncommon paths to evade analysis.
By operating within legitimate apps, it can bypass common security checks and facilitate unauthorized transactions or data exfiltration.
Once executed, it extracts and decrypts the payload using RC4 with a hardcoded key, revealing the malicious code. The final payload is another encrypted APK stored inside the app, decrypted via XOR and then installed.
Credential Access
4 techniques
Credential Access
With these permissions, Mirax runs silently, using overlays and fake pages to steal credentials and bypass protections.
Mirax - also tracked as Mirax Bot - is capable of capturing keystrokes, stealing photos or data, including lock screen details, running commands and monitoring user activity.
Discovery
1 technique
Discovery
Collection
3 techniques
Collection
With these permissions, Mirax runs silently, using overlays and fake pages to steal credentials and bypass protections.
Command and Control
6 techniques
Command and Control
It communicates with command-and-control servers via WebSockets, enabling real-time control and data exfiltration.
Once installed, the dropper unpacks the payload, applies strong obfuscation, and connects via WebSockets.
A key feature is its ability to turn infected devices into SOCKS5 residential proxies, masking attacker activity and enabling broader attacks like fraud, lateral movement, and DDoS.
Mirax and its advanced capabilities allow threat actors to interact with devices in real time, compromising and converting them into residential proxy nodes... relying on SOCKS5 protocol support and Yamux multiplexing to establish proxy channels.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android remote access trojan distributed through malicious apps and social-engineering lures that enables full control of infected devices, including screen monitoring, credential harvesting, remote command execution, unauthorized transactions, and data exfiltration.
Android malware sold as malware-as-a-service that spreads via Meta ads and fake app lures. It provides full remote access, steals credentials and data, abuses Accessibility permissions, communicates over WebSockets, and can convert infected devices into SOCKS5 residential proxies for attacker operations.
Mirax is an Android banking trojan delivered via fake IPTV or streaming apps promoted through Facebook and Instagram ads. It acts as a dropper-hosted payload that decrypts concealed components, establishes WebSockets-based communications for remote device control and data theft, evades automated analysis, and converts infected devices into residential proxy nodes for illicit traffic routing, account takeover, and anonymized attacks.
Mirax is an Android banking malware offered as a Malware-as-a-Service platform. It steals banking credentials, abuses Accessibility Services for background operation, and turns infected devices into residential proxy nodes using SOCKS5 and Yamux over WebSocket to route attacker traffic through victims’ legitimate IP addresses.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.