The Emergence of Mirax RAT and Its Distribution
The Mirax Remote Access Trojan (RAT) has surfaced as a sophisticated malware targeting Android users across Europe. This threat is distributed under the malware-as-a-service (MaaS) model, which offers tiered subscription plans to affiliates, predominantly Russian-speaking actors. By utilizing this MaaS structure, the operators have streamlined access to advanced malware capabilities for their subscribers. The promotional efforts for Mirax began in December 2025, and campaigns leveraging this RAT have been active since March.
Threat actors rely on Meta advertisements displayed across platforms such as Facebook, Instagram, and Messenger to distribute Mirax's dropper pages. These ads target unsuspecting users by redirecting them to websites that promote IPTV application services. This redirection ultimately leads victims to malicious APK files hosted on GitHub. The malware's execution depends on tricking users into enabling installation from unknown sources, a step that facilitates its infection process.
Technical Innovations in Mirax RAT
Mirax RAT introduces notable technical advancements that set it apart from conventional Android malware. Among its standout features is the ability to turn infected devices into residential proxy nodes. This is achieved through the deployment of a SOCKS5 proxy that supports multiplexing via WebSocket-based channels. This innovative design allows simultaneous connections to be routed through compromised devices, enhancing the malware's utility for cybercriminal operations.
The payload is meticulously packed using Golden Encryption, a method employing an encrypted Dalvik Executable (DEX) file. The RC4 stream cipher with a hardcoded cryptographic key decrypts this code during installation. By employing such encryption techniques, Mirax effectively evades detection mechanisms and complicates forensic analysis.
Capabilities for Credential Theft and Device Control
Mirax RAT is equipped with functionalities that enable credential theft and extensive device control. It supports overlay and notification injection, allowing attackers to capture sensitive information such as login credentials. Additionally, the malware facilitates real-time screen viewing and device navigation, granting operators full control over infected systems.
Other features include application management and the exfiltration of images and text from devices. These capabilities highlight the threat's potential for extensive data theft, espionage, and disruption. The integration of SOCKS5 proxy functionality further underscores its capability to utilize infected devices as traffic relay points, a novel feature in the domain of Android malware.
Exploitation Through Multi-Stage Infection
Mirax employs a multi-stage infection strategy to bypass Android's protective measures. It begins with the victim enabling installation from unknown sources under the guise of running a seemingly legitimate IPTV application. Once executed, the malware unpacks its payload and proceeds to deploy its malicious components.
The infection stages are meticulously designed to evade detection and bypass security frameworks. The use of APK sideloading ensures that the malware avoids scrutiny from Google's Play Store protections, enabling its proliferation across a wide user base.
Implications for Cybersecurity in Europe
The rise of Mirax RAT presents significant challenges for cybersecurity frameworks in Europe. Its distribution via social media advertisements and reliance on sideloading highlight vulnerabilities in user awareness and platform security. The introduction of residential proxy functionality into an Android RAT signals a shift in cybercriminal strategies, with implications for IoT security.
Preventive measures must focus on increasing public awareness about the risks of installing applications from unknown sources. Enhanced scrutiny of advertising platforms to detect and remove malicious campaigns is also necessary. Additionally, collaboration between security vendors and platform operators can mitigate the impact of malware-as-a-service offerings like Mirax.