A new, sophisticated remote access trojan has been targeting Android users across Europe, marketed as malware-as-a-service to a small number of affiliates, mainly Russian-speaking actors. The Mirax RAT can turn infected devices into residential proxy nodes by deploying a SOCKS5 proxy that supports multiplexing over a WebSocket channel.
Distribution relies on dropper pages promoted through Meta advertising on Facebook, Instagram, Messenger and similar services, with more than 200,000 users reportedly exposed to the malicious ads. The campaign uses IPTV-related sites to redirect to GitHub-hosted droppers and relies on APK sideloading rather than Google Play for installation, prompting victims to enable installation from unknown sources to run the malware.
According to Cleafy, Mirax encrypts its payload with Golden Encryption and decrypts it during installation, while offering overlay and notification injection for credential theft and the ability to view the screen and exfiltrate data, including images and text. It also allows operators to launch a SOCKS5 proxy connection to route traffic through the device.