Listen to this Post
Introduction: A New Breed of Mobile Threat Emerges
The Android threat landscape has taken a sharp turn with the emergence of Mirax, a highly advanced Remote Access Trojan (RAT) combined with banking malware capabilities. Discovered by cybersecurity researchers at Cleafy, this malware is not just another mass-distributed threat. Instead, it represents a calculated evolution in cybercrime operations, prioritizing stealth, exclusivity, and long-term exploitation over widespread infection.
First appearing in underground forums in December 2025, Mirax quickly gained traction among a select group of cybercriminals. By March 2026, it had already been deployed in targeted campaigns, primarily focusing on Spanish-speaking users. What makes Mirax particularly dangerous is not just its technical sophistication, but the controlled ecosystem in which it operates, making it harder to detect, track, and dismantle.
Summary: How Mirax Operates and Evades Detection
Mirax distinguishes itself from traditional Malware-as-a-Service platforms by limiting access to a closed circle of Russian-speaking affiliates. This exclusivity ensures higher operational discipline and reduces the likelihood of exposure through careless usage. The malware spreads primarily through deceptive advertising campaigns on platforms owned by Meta Platforms, including Facebook and Instagram, where users are tricked into downloading fake IPTV applications promising sports streaming content.
These campaigns have already reached over 200,000 users, particularly in Spain. Once a victim clicks on the malicious ad, they are redirected to landing pages that perform environment checks using HTTP headers to confirm they are being accessed from a mobile browser. This technique effectively blocks automated security scanners and analysis tools.
The malware delivery mechanism relies on droppers hosted on GitHub Releases, which frequently change their file hashes to evade detection while maintaining consistent underlying code. Upon installation, the dropper uses advanced encryption methods, including GoldCrypt, to unpack its payload through WebSocket communication channels. A hidden .dex file is stored in deeply nested, obfuscated directories, making forensic analysis significantly more difficult.
Decryption is performed using RC4 with a hardcoded key, followed by XOR-based unpacking to extract the final malicious APK. Interestingly, in observed samples, the payload does not rely on remote downloads, although documentation suggests that capability exists.
Once installed, Mirax disguises itself as a legitimate video player application. It aggressively requests Accessibility Service permissions, a critical step that allows it to gain extensive control over the device. To manipulate user behavior, it displays fake HTML error messages and overlays that lock the screen, effectively coercing users into granting permissions.
Persistence is achieved through multiple WebSocket connections across different ports. These channels are used for command execution, data exfiltration, and proxy tunneling using Yamux multiplexing. This multi-channel communication ensures resilience and flexibility in operations.
The malware’s capabilities are extensive. It targets 182 applications, including banking apps and cryptocurrency wallets, using dynamically delivered templates from command-and-control servers. These servers operate behind a shared “gate” infrastructure that masks their true location.
Mirax supports a wide range of malicious functions, including credential harvesting via overlays, real-time device monitoring through VNC-like features, automated UI interactions using Accessibility Services, and the ability to disable security applications. It can also extract sensitive data such as SMS messages, text content, and even capture images using the device camera.
One of its most alarming features is the built-in SOCKS5 proxy functionality. Even if the user denies critical permissions, the infected device can still be used as a proxy node. This allows attackers to route malicious traffic through compromised devices, enabling activities such as DDoS attacks, IP spoofing, and large-scale credential stuffing campaigns.
The command-and-control architecture relies on bidirectional WebSocket communication, allowing infected devices to continuously send status updates while receiving new instructions. Notably, Mirax avoids targeting CIS countries, likely due to regional restrictions or strategic decisions by its operators.
What Undercode Say: The Strategic Shift Behind Mirax
Mirax is not just another piece of malware. It represents a strategic shift in how cybercriminals approach mobile exploitation. The move from mass infection models to controlled, invite-only ecosystems signals a maturation of the underground economy.
By restricting access to trusted affiliates, the operators behind Mirax significantly reduce operational noise. This means fewer infections overall, but a much higher success rate per target. In cybersecurity terms, this is a shift from quantity to quality.
The use of mainstream advertising platforms like Facebook and Instagram is particularly notable. It highlights how attackers are leveraging legitimate ecosystems to distribute malware at scale without raising immediate suspicion. This approach blends social engineering with technical sophistication, making it highly effective.
Technically, Mirax’s layered encryption and obfuscation techniques demonstrate a deep understanding of modern detection systems. The combination of GoldCrypt, RC4, and XOR unpacking creates multiple barriers for analysts, increasing the time and effort required for reverse engineering.
The integration of proxy functionality within a banking Trojan is especially concerning. Traditionally, proxy botnets and financial malware operated in separate domains. Mirax merges these capabilities, creating a hybrid threat that maximizes monetization opportunities. Even partial infections become valuable assets, contributing bandwidth and anonymity to cybercriminal operations.
Another critical aspect is the use of Accessibility Services. While this technique is not new, Mirax refines it by combining psychological manipulation with technical enforcement. The use of fake overlays and error messages demonstrates a high level of user interface deception, increasing the likelihood of user compliance.
From an infrastructure perspective, the use of shared “gate” servers adds another layer of anonymity. This design not only protects the core command-and-control servers but also allows for rapid reconfiguration if parts of the network are exposed.
The absence of observed proxy abuse so far should not be seen as a limitation, but rather as a sign of future potential. The pricing models and feature sets strongly suggest that Mirax is being positioned for large-scale botnet operations in the near future.
In essence, Mirax is a preview of the next generation of mobile threats: modular, stealthy, and economically optimized. It reflects a broader trend where cybercrime is increasingly adopting business-like strategies, complete with access control, product differentiation, and scalability planning.
Fact Checker Results
✅ Mirax is confirmed as an advanced Android RAT and banking malware identified by Cleafy.
✅ Distribution via fake apps promoted on social media platforms aligns with known mobile malware tactics.
⚠️ No confirmed large-scale proxy botnet activity yet, but indicators strongly suggest future deployment.
Prediction
The evolution of threats like Mirax points toward a future where smartphones become dual-purpose tools for cybercriminals, serving both as data targets and infrastructure nodes. 📱
Expect a rise in hybrid malware combining financial theft with network-level exploitation, especially leveraging proxy capabilities. 🔐
Mobile ecosystems, particularly Android, will likely face increased pressure to tighten app distribution controls and permission management systems to counter these advanced threats. 🚨
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
