Researchers reported active distribution of the Android malware Mirax, a remote access trojan that combines banking credential theft with residential proxy functionality, allowing attackers to turn infected phones into SOCKS5 proxy nodes while harvesting sensitive data. Cleafy said campaigns aimed largely at Spanish-speaking users reached more than 220,000 accounts across Meta platforms including Facebook, Instagram, Messenger, and Threads, using fake IPTV and sports-streaming lures, phishing pages, and GitHub Releases-hosted dropper APKs to drive sideloaded infections.
Mirax is described as a restricted malware-as-a-service offering linked to the underground "Mirax Bot" ecosystem and reportedly marketed mainly to trusted Russian-speaking affiliates. Once installed, the malware abuses Android Accessibility Services, deploys credential-theft overlays, and maintains multiple WebSocket command-and-control channels on ports 8443, 8444, and 8445; its use of SOCKS5, Yamux, and residential IP routing helps attackers evade fraud controls and support follow-on activity such as account takeover, transaction fraud, password spraying, and broader anonymous abuse through victims’ devices.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
On 2026-04-14, public reporting detailed Mirax's full remote-access features, credential-theft overlays, abuse of Accessibility Services, and WebSocket-based C2 communications over ports 8443, 8444, and 8445. The disclosures also highlighted its integrated SOCKS5 and Yamux proxy functionality that routes attacker traffic through victims' residential IP addresses.
Researchers reported active Mirax distribution through paid advertisements across Meta platforms including Facebook, Instagram, Messenger, and Threads. The campaigns reportedly reached more than 220,000 accounts and infected Android devices that were then used for credential theft and as SOCKS5 residential proxies.
On 2026-04-10, Cleafy Labs published a technical analysis of Mirax describing its two-stage Android infection chain, IPTV-themed dropper, encrypted payload unpacking, and abuse of Accessibility Services. The report also documented credential-theft overlays, remote-control features, spyware functions, and SOCKS5 proxy capability that could turn infected devices into residential proxy nodes.
Cleafy began monitoring Mirax activity in March 2026 after observing campaigns aimed mainly at Spanish-speaking countries. The campaigns used fake IPTV and sports-streaming lures, sideloaded APKs, and GitHub-hosted droppers.
The Android malware-as-a-service offering known as Mirax Bot was advertised on underground forums starting on 2025-12-19. Reporting says access was restricted, primarily favoring trusted Russian-speaking affiliates.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
8 references tracked. Mallory keeps watching after this page renders.
zimperium.com
Open sourcesecurityaffairs.com
Open sourcescworld.com
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourcegovinfosecurity.com
Open sourcebankinfosecurity.com
Open sourcecleafy.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.