A nascent Android remote access trojan called Mirax has been observed targeting Spanish-speaking countries, with campaigns reaching more than 220,000 accounts on Facebook, Instagram, Messenger and Threads through Meta ads. Mirax integrates advanced RAT capabilities and can fully interact with compromised devices in real time, while also turning infected devices into residential proxy nodes using SOCKS5 and Yamux multiplexing.
Researchers described the approach as a convergence of RAT and proxy features, enabling attackers to route traffic through victims’ real IP addresses and bypass geolocation restrictions. The operation is reportedly distributed through a tightly controlled MaaS model, with a threat actor going by the name Mirax Bot advertising a private service on underground forums; access is said to be prioritised for Russian-speaking actors.
Dropper apps are promoted via Meta ads, including StreamTV and Reproductor de video, with one ad starting on 6 April 2026 reaching 190,987 accounts. According to Cleafy, the campaign uses a multi-stage payload, bidirectional C2 channels on WebSocket ports 8443, 8444 and 8445, and prompts users to enable unknown sources to deploy the malware.