Mirax¶
Mirax is an Android RAT and banking trojan operating as a private Malware-as-a-Service offering, first advertised on underground forums in December 2025. Cleafy published their analysis in April 2026 after monitoring campaigns targeting Spanish-speaking regions since March 2026. Mirax combines standard RAT capabilities (VNC, overlays, keylogging) with SOCKS5 residential proxy functionality that turns infected devices into proxy nodes, allowing operators to route traffic through victims' legitimate IP addresses. The proxy feature uses Yamux multiplexing over WebSocket. Distribution reaches victims through Meta advertisements (Facebook, Instagram) promoting fake IPTV streaming apps, with droppers hosted via GitHub Releases.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | December 19, 2025 (forum advertisement), March 2026 (active campaigns) |
| Status | Active, under rapid development |
| Type | RAT, banking trojan, residential proxy |
| Attribution | Russian-speaking developers (private MaaS, restricted to trusted affiliates) |
| Platform | Android |
| Target Region | Spain (primary), expanding to other languages |
| Target Apps | 182+ (Spanish banking, crypto) |
| Distribution | Meta Ads, GitHub Releases |
| Packer | GoldCrypt (Golden Encryption) or Virbox (builder option) |
Distribution¶
Meta Advertisement Campaigns¶
Mirax affiliates promote dropper pages through Meta's ad platform across Facebook, Instagram, Messenger, and Threads. The analyzed campaign reached over 200,000 accounts. The lure is an illegal IPTV/sports streaming application, targeting users already conditioned to sideload APKs since such apps are unavailable on Google Play.
All delivery URLs implement device checks via HTTP headers to ensure access from mobile devices, blocking automated scanners and desktop browsers.
GitHub Releases Abuse¶
Droppers are hosted via GitHub Releases pages. Affiliates push updates to pre-existing releases rather than creating new ones to evade automated crawlers. Sample hashes change daily through automated repacking or signature rotation while application content remains unchanged, defeating hash-based detection. The analyzed releases page grew from five to over ten applications as the campaign matured.
Additional Campaigns¶
Other observed campaigns use IoT utility and NSFW application lures, though the sports streaming campaign provided the most comprehensive operational indicators.
Capabilities¶
Mirax implements 60+ C2 commands spanning RAT control, credential theft, surveillance, and proxy functionality.
Core RAT¶
| Capability | Implementation |
|---|---|
| HTML overlay injection | Dynamic HTML templates fetched from C2, rendered over target apps |
| Screen capture | Real-time screen streaming to C2 |
| VNC | Interactive VNC-based screen sharing |
| Black screen overlay | Hides malicious activity from user, with fake "updating" variant |
| System navigation | Remote tap, swipe, home, back, recents via accessibility |
| App management | Launch, block, unblock, uninstall applications |
| Anti-uninstall protection | Prevents user from removing the malware |
| Device lock/unlock/wake | Uses stored or captured credentials |
Credential Theft¶
| Capability | Implementation |
|---|---|
| Dynamic overlays | HTML/JS phishing pages bound to target package names, loaded from C2 |
| Keylogging | Continuous input capture across all applications |
| Keyguard exfiltration | Captures lock screen configuration: PIN length, pattern structure, biometric usage |
| Clipboard access | Read and set system clipboard contents |
| Fake lock screen | Configurable lock screen type for credential capture |
| Notification display | Shows notifications from specific app packages |
Surveillance¶
| Capability | Implementation |
|---|---|
| SMS collection | Intercept and upload SMS messages (on-demand or continuous) |
| Camera capture | Background photo/video capture from any available camera |
| Screen data | JSON-formatted screen layout data exfiltration |
Residential Proxy¶
Mirax turns infected devices into SOCKS5 residential proxy nodes, routing attacker traffic through the victim's legitimate IP address. The proxy uses a custom Yamux multiplexing implementation over the WebSocket-based C2 channel, allowing multiple connections through a single tunnel.
This serves multiple purposes:
- Bypass geolocation-based fraud detection during account takeover
- Mask attack origin with legitimate residential IPs
- Enable password spraying and other attacks from reputable subnets
- Monetize partially compromised devices (proxy works even without accessibility permission)
The last point is operationally significant: if a victim installs the app but refuses to enable accessibility services, the operators lose RAT capabilities but can still enroll the device as a proxy node, which requires fewer permissions. This ensures partial monetization even from incomplete infections.
Technical Details¶
Dropper Chain¶
The infection uses a two-stage dropper:
- Dropper APK disguised as an IPTV app, prompts user to enable installation from unknown sources
- Encrypted .dex extraction: The dropper contains an encrypted DEX file hidden in a deeply nested folder path using uncommon characters to confuse static analysis tools
- RC4 decryption: The DEX payload is decrypted using RC4 with a hardcoded key
- Implant extraction: The decrypted DEX extracts and installs the final APK from
res/raw/, encrypted with XOR using a key stored inBuildConfig - Accessibility prompt: The malware masquerades as a video playback utility and requests accessibility services
- Fake failure page: After accessibility is granted, displays an HTML page claiming installation failed while malware runs in the background
The builder also supports remote implant delivery via IMPLANT_DOWNLOAD_URL, though this was not active in the analyzed campaigns.
GoldCrypt Packer¶
Mirax uses GoldCrypt (also known as Golden Encryption or Golden Crypt), a commercial-grade packer promoted on underground forums. The same packer was observed in Albiriox. GoldCrypt is less documented than Virbox but follows similar patterns: encrypted DEX files with RC4 decryption at runtime. The Mirax builder offers both Virbox and GoldCrypt as packer options.
Private MaaS Model¶
Unlike typical MaaS offerings with open sales channels, Mirax restricts access to a small number of affiliates. Access is prioritized for Russian-speaking actors with established reputations in underground communities. The developers provide documentation including builder screenshots, packer options, and feature descriptions. The pricing structure uses tiered subscription plans (exact pricing not disclosed in the analyzed materials).
The developers explicitly state that Mirax is incompatible with CIS countries due to app restrictions, following the common pattern of Russian-speaking malware operators avoiding domestic targets.
C2 Infrastructure¶
Mirax uses a C2 Gate server architecture: all samples contact the same gateway domain, which proxies traffic to the actual affiliate C2 servers. This separates affiliate infrastructure from the malware samples.
WebSocket Channels¶
| Port | Endpoint | Purpose |
|---|---|---|
| 8443 | /control |
Real-time commands and remote access |
| 8444 | /data |
Screen streaming and data exfiltration |
| 8445 (or custom) | /tunnel (or custom) |
SOCKS5 residential proxy (connects to separate relay server) |
Communication is bidirectional: devices send periodic status updates, while the server pushes commands, configurations, and HTML overlay templates. Target application lists and overlay templates are delivered dynamically, making static extraction of the full target list difficult.
Target Languages¶
| Language |
|---|
| Chinese |
| French |
| German |
| Hungarian |
| Israeli |
| Italian |
| Japanese |
| Polish |
| Portuguese |
| Slovenian |
| Spanish |
IOCs¶
File Hashes¶
| SHA-256 | Name | Package | Type |
|---|---|---|---|
53de68ebec281e7233bffc52199b22ec2dba463eec3b29d4c399838e18daecbf |
StreamTV | org.lgvvfj.pluscqpuj |
Dropper |
88e6e4a5478a3ee7bfdfc5e7614ae6f3f121e0d470741a9cc84a111fe9b266db |
Reproductor de video | org.yjeiwd.plusdc71 |
Malware |
759eed82699b86b6a792a63ccc76c2fa5ed71720b89132abdead9753f5d7bd11 |
StreamTV | org.dawme.secure5ny |
Dropper |
29577570d18409d93fa2517198354716740b19699eb5392bfaa265f2f6b91896 |
Reproductor de video | org.azgaw.managergst1d |
Malware |
Network Indicators¶
| Type | Value | Purpose |
|---|---|---|
| Domain | ilovepng[.]info |
C2 |
| URL | wss://ilovepng[.]info:8443/control |
C2 commands |
| URL | wss://ilovepng[.]info:8444/data |
C2 exfiltration |
| Domain | descarga-smtr[.]net |
Delivery page |
Related Families¶
Albiriox shares the GoldCrypt packer and follows a similar budget MaaS model, though Mirax is positioned as a higher-tier offering with restricted access and residential proxy capabilities.
The C2 architecture (dual WebSocket on ports 8443/8444) closely mirrors Cifrat, which uses the same port assignments for control and data channels. The addition of a third WebSocket channel for SOCKS5 proxy extends this pattern.
Necro also enrolls devices as proxy nodes via its NProxy module, but delivers this capability through a compromised SDK rather than a standalone RAT.