Malware-as-a-Service — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/malware-as-a-service/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 16 Apr 2026 12:00:00 +0000Mirax RAT Targeting Android Users in Europehttps://feed.craftedsignal.io/briefs/2026-04-mirax-rat/Thu, 16 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-mirax-rat/Mirax RAT, a new Android RAT distributed as MaaS, is targeting European users by turning infected devices into residential proxy nodes and enabling credential theft via overlay and notification injection.The Mirax RAT is a newly identified Android Remote Access Trojan (RAT) that has been actively targeting users in Europe since March 2026. It’s offered as Malware-as-a-Service (MaaS) to a small group of affiliates, primarily Russian-speaking actors, through tiered subscription models. Since December 2025, Mirax has been promoted on underground forums and used in multiple campaigns. The RAT’s distribution relies on malicious advertisements on Meta platforms like Facebook, Instagram, and Messenger, with over 200,000 users potentially exposed to these ads. The malware uses dropper pages hosted on GitHub and relies on APK sideloading for execution, bypassing the Google Play Store’s security measures. Mirax’s capabilities extend beyond typical RAT functions, including turning infected devices into residential proxy nodes via a SOCKS5 proxy.

Attack Chain

  1. The attacker creates malicious ads on Facebook, Instagram, and Messenger promoting IPTV application services.
  2. Users click on the advertisements, which redirect them to dropper pages hosted on GitHub.
  3. The user is prompted to enable installation from unknown sources on their Android device.
  4. The malicious IPTV application is installed via APK sideloading.
  5. The application initiates a multi-stage infection process, utilizing Golden Encryption (Golden Crypt) to pack the payload.
  6. The payload, an encrypted Dalvik Executable (.dex) file, is decrypted during installation using the RC4 stream cipher with a hardcoded key.
  7. Mirax gains control of the device, enabling overlay and notification injection for credential theft.
  8. Attackers can view the screen in real-time, navigate and control the device, manage applications, exfiltrate images and text, and launch a SOCKS5 proxy connection to proxy traffic through the infected device.

Impact

The Mirax RAT campaign has the potential to affect a large number of Android users in Europe. The malicious advertisements have already reached over 200,000 users. Successful infections can lead to credential theft, financial fraud, data exfiltration, and the compromised device being used as a residential proxy, potentially masking malicious activity and further expanding the attacker’s reach. Banks and financial institutions are specifically highlighted as high-value targets.

Recommendation

  • Monitor network traffic for connections to GitHub domains associated with APK downloads, and correlate that with android device user agents (Network Connection and User Agent logs).
  • Implement detections for process creation events related to sideloaded APK installations, specifically looking for unusual parent-child process relationships (Process Creation Logs).
  • Deploy the Sigma rule provided below to detect the execution of applications from untrusted sources and tune for your environment.
  • Monitor network connections for SOCKS5 proxy traffic originating from Android devices, which may indicate compromised devices acting as residential proxies (Network Connection Logs).
]]>highadvisoryandroidratmiraxmalware-as-a-serviceproxy