{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mirax/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["android","rat","mirax","malware-as-a-service","proxy"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Mirax RAT is a newly identified Android Remote Access Trojan (RAT) that has been actively targeting users in Europe since March 2026. It\u0026rsquo;s offered as Malware-as-a-Service (MaaS) to a small group of affiliates, primarily Russian-speaking actors, through tiered subscription models. Since December 2025, Mirax has been promoted on underground forums and used in multiple campaigns. The RAT\u0026rsquo;s distribution relies on malicious advertisements on Meta platforms like Facebook, Instagram, and Messenger, with over 200,000 users potentially exposed to these ads. The malware uses dropper pages hosted on GitHub and relies on APK sideloading for execution, bypassing the Google Play Store\u0026rsquo;s security measures. Mirax\u0026rsquo;s capabilities extend beyond typical RAT functions, including turning infected devices into residential proxy nodes via a SOCKS5 proxy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates malicious ads on Facebook, Instagram, and Messenger promoting IPTV application services.\u003c/li\u003e\n\u003cli\u003eUsers click on the advertisements, which redirect them to dropper pages hosted on GitHub.\u003c/li\u003e\n\u003cli\u003eThe user is prompted to enable installation from unknown sources on their Android device.\u003c/li\u003e\n\u003cli\u003eThe malicious IPTV application is installed via APK sideloading.\u003c/li\u003e\n\u003cli\u003eThe application initiates a multi-stage infection process, utilizing Golden Encryption (Golden Crypt) to pack the payload.\u003c/li\u003e\n\u003cli\u003eThe payload, an encrypted Dalvik Executable (.dex) file, is decrypted during installation using the RC4 stream cipher with a hardcoded key.\u003c/li\u003e\n\u003cli\u003eMirax gains control of the device, enabling overlay and notification injection for credential theft.\u003c/li\u003e\n\u003cli\u003eAttackers can view the screen in real-time, navigate and control the device, manage applications, exfiltrate images and text, and launch a SOCKS5 proxy connection to proxy traffic through the infected device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Mirax RAT campaign has the potential to affect a large number of Android users in Europe. The malicious advertisements have already reached over 200,000 users. Successful infections can lead to credential theft, financial fraud, data exfiltration, and the compromised device being used as a residential proxy, potentially masking malicious activity and further expanding the attacker\u0026rsquo;s reach. Banks and financial institutions are specifically highlighted as high-value targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to GitHub domains associated with APK downloads, and correlate that with android device user agents (Network Connection and User Agent logs).\u003c/li\u003e\n\u003cli\u003eImplement detections for process creation events related to sideloaded APK installations, specifically looking for unusual parent-child process relationships (Process Creation Logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect the execution of applications from untrusted sources and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for SOCKS5 proxy traffic originating from Android devices, which may indicate compromised devices acting as residential proxies (Network Connection Logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-mirax-rat/","summary":"Mirax RAT, a new Android RAT distributed as MaaS, is targeting European users by turning infected devices into residential proxy nodes and enabling credential theft via overlay and notification injection.","title":"Mirax RAT Targeting Android Users in Europe","url":"https://feed.craftedsignal.io/briefs/2026-04-mirax-rat/"}],"language":"en","title":"CraftedSignal Threat Feed — Mirax","version":"https://jsonfeed.org/version/1.1"}