Executive Summary
In April 2026, a sophisticated Android remote access trojan (RAT) named Mirax was identified targeting Spanish-speaking countries. Distributed through Meta advertisements, Mirax infected over 220,000 devices by masquerading as legitimate streaming applications. Once installed, it granted attackers full control over compromised devices, enabling real-time interaction, keystroke logging, and the deployment of dynamic overlays to steal sensitive information. Notably, Mirax transformed infected devices into residential proxy nodes using the SOCKS5 protocol, allowing cybercriminals to route malicious traffic through victims' IP addresses, thereby evading detection systems and facilitating fraudulent activities.
This incident underscores a concerning evolution in mobile malware, where traditional RAT functionalities are augmented with proxy capabilities, expanding the operational scope of cybercriminals. The use of social media platforms for widespread distribution highlights the need for enhanced vigilance and security measures among users and organizations to mitigate such threats.
Why This Matters Now
The emergence of Mirax signifies a shift in cybercriminal tactics, combining device control with proxy functionalities to enhance anonymity and effectiveness. This development poses increased risks for financial institutions and individuals, emphasizing the urgency for robust mobile security practices and user education to prevent such sophisticated attacks.
Attack Path Analysis
The Mirax Android RAT campaign began with social engineering tactics, using Meta advertisements to lure Spanish-speaking users into downloading malicious streaming apps. Once installed, Mirax gained full control over the device, enabling the execution of commands and monitoring of user activities. The malware then established persistent proxy channels, allowing attackers to route their traffic through the victim's IP address. Subsequently, Mirax communicated with command-and-control servers to receive further instructions and dynamically fetch overlay pages for credential theft. Finally, the malware exfiltrated sensitive data, including credentials and personal information, to the attackers.
Kill Chain Progression
Initial Compromise
Description
Attackers used Meta advertisements to promote malicious streaming apps, tricking users into downloading and installing the Mirax malware.
MITRE ATT&CK® Techniques
Application Layer Protocol: Web Protocols
Exploitation for Client Execution
Input Capture: Keylogging
Acquire Infrastructure: Domain Registration
Audio Capture
Location Tracking
Software Discovery
System Information Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement Strong Authentication Mechanisms
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Mirax RAT's SOCKS5 proxy capabilities enable credential theft and transaction manipulation through compromised mobile banking apps, bypassing traditional security controls.
Marketing/Advertising/Sales
Meta advertising platform exploitation demonstrates vulnerability to malicious campaigns, requiring enhanced egress filtering and anomaly detection for advertising networks.
Telecommunications
Android RAT infections create unauthorized proxy networks affecting carrier infrastructure, necessitating east-west traffic security and encrypted communications monitoring capabilities.
Financial Services
Remote access trojan threats to mobile financial applications require zero trust segmentation and real-time threat detection to prevent data exfiltration.
Sources
- Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Adshttps://thehackernews.com/2026/04/mirax-android-rat-turns-devices-into.htmlVerified
- Mirax Android Trojan Turns Devices Into Residential Proxy Nodeshttps://www.infosecurity-magazine.com/news/mirax-trojan-devices-proxy-nodes/Verified
- Mirax Android RAT: Neue Bedrohung durch Proxy-Funktionalitäthttps://www.it-boltwise.de/mirax-android-rat-neue-bedrohung-durch-proxy-funktionalitaet.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to the Mirax Android RAT campaign as it could limit the malware's ability to establish persistent proxy channels and exfiltrate sensitive data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF primarily secures cloud workloads, its principles could inspire endpoint security measures that may limit the malware's ability to communicate with command-and-control servers.
Control: Zero Trust Segmentation
Mitigation: Applying Zero Trust Segmentation principles to endpoint devices could limit the malware's ability to access sensitive resources and execute unauthorized commands.
Control: East-West Traffic Security
Mitigation: Implementing East-West Traffic Security measures on endpoints could limit the malware's ability to establish unauthorized proxy channels for lateral movement.
Control: Multicloud Visibility & Control
Mitigation: Applying Multicloud Visibility & Control principles to endpoint devices could limit the malware's ability to communicate with external command-and-control servers.
Control: Egress Security & Policy Enforcement
Mitigation: Implementing Egress Security & Policy Enforcement on endpoints could limit the malware's ability to exfiltrate sensitive data.
Applying CNSF principles to endpoint devices could limit the malware's ability to use compromised devices as proxy nodes for further malicious activities.
Impact at a Glance
Affected Business Functions
- Mobile Banking Services
- Customer Account Management
- Fraud Detection Systems
Estimated downtime: 7 days
Estimated loss: $500,000
Personal and financial information of affected users, including banking credentials and transaction data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict device permissions and limit malware capabilities.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual device behaviors indicative of compromise.
- • Enforce Multicloud Visibility & Control to gain comprehensive insights into network traffic and detect malicious activities.
- • Apply Inline IPS (Suricata) to inspect and block known exploit patterns and malicious payloads in real-time.
