MIRAX is described as a newly identified Android Remote Access Trojan (RAT) that spread through Meta ads and has infected about 220,000 users, turning devices into SOCKS5 proxies and enabling full remote control in real time. According to the report published by Cleafy, Mirax is marketed as malware-as-a-service and has been promoted since December 19, 2025, with campaigns observed in March 2026 targeting mainly Spanish-speaking regions.
The campaign uses a two-stage infection chain, concealing the malware in a disguised IPTV app and prompting users to install from unknown sources, before decrypting and installing the final payload. Once active, Mirax requests Accessibility permissions to run in the background, display fake pages, and bypass protections while delivering RAT capabilities such as screen control, data theft and spyware functions.
It communicates with command-and-control servers via WebSockets, enabling real-time control and exfiltration, and its residential proxy feature broadens attacker reach for fraud and other attacks. The campaign highlights how mobile threats are scaling through legitimate platforms, social engineering and MaaS-style distribution.