A new, sophisticated remote access trojan (RAT) has been targeting Android users across Europe, fraud management and prevention company Cleafy warns.
Dubbed Mirax, the threat has been promoted on underground forums since December 2025 and has been used in multiple campaigns since March.
The threat is distributed as malware-as-a-service (MaaS) to a small number of affiliates, mainly Russian-speaking threat actors, through tiered subscription plans.
In addition to its RAT capabilities, Mirax can turn infected devices into residential proxy nodes by deploying a SOCKS5 proxy that implements multiplexing over the WebSocket-based channel, which supports multiple connections, Cleafy notes.
For distribution, threat actors are promoting the malware’s dropper pages through Meta advertisements displayed on Facebook, Instagram, Messenger, and similar services. According to Cleafy, more than 200,000 users have been served the malicious ads.
The miscreants use websites promoting IPTV application services to redirect to droppers hosted on GitHub and rely on APK sideloading for the malware’s execution, as none of the malicious apps are being distributed through Google Play.
The victims are tricked into enabling installation from unknown sources to run the malicious IPTV application, which triggers a multi-stage infection process meant to bypass protections.
The payload is packed using Golden Encryption (also known as Golden Crypt), hides the malicious code in an encrypted Dalvik Executable (.dex) file, and uses the RC4 stream cipher with a hardcoded cryptographic key to decrypt the code during installation.
Mirax supports overlay and notification injection for credential theft and allows attackers to view the screen in real time, navigate and control the device, manage applications, and exfiltrate images and text.
Additionally, it allows the operators to launch a SOCKS5 proxy connection to proxy traffic through the device, using two or three distinct WebSocket connections.
“Beyond the rise of residential proxy in the context of IoT devices, the introduction of this functionality into a malware RAT like Mirax is a novelty that warrants attention. While the analysis did not reveal any use of this functionality, it is still valuable to consider the motivations behind adding it to a RAT and the implications for highly targeted sectors like banks and similar institutions,” Cleafy notes.
Related: Gmail Brings End-to-End Encryption to Android and iOS for Enterprise Users
Related: Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet Users
Related: PromptSpy Android Malware Abuses Gemini AI at Runtime for Persistence
Related: New Keenadu Android Malware Found on Thousands of Devices
