A new Android RAT turning infected devices into potential residential proxy nodes
Mirax is an Android Remote Access Trojan (RAT) distributed as Malware-as-a-Service, primarily targeting European users in Spanish-speaking regions. It spreads via Meta advertisements and GitHub-hosted droppers, affecting over 200,000 accounts. The malware features advanced capabilities such as dynamically fetched HTML overlays, keylogging, remote device control, and notably, the ability to convert infected devices into SOCKS5 residential proxy nodes. This proxy functionality enables attackers to route traffic through legitimate residential IPs, facilitating evasion of geolocation restrictions and fraud detection during account takeovers and transaction fraud. Mirax uses commercial-grade obfuscation and maintains persistence through abuse of Android Accessibility Services. No official patch or remediation guidance is currently available.
AI Analysis
Technical Summary
Mirax is a newly identified Android RAT operating as Malware-as-a-Service, targeting European Spanish-speaking users. It is distributed through Meta advertisements and GitHub droppers, with over 200,000 infected devices reported. The malware employs sophisticated techniques including HTML overlays, comprehensive keylogging, and remote control. A unique feature is its integration of SOCKS5-based residential proxy functionality, turning infected devices into proxy nodes to route attacker traffic through legitimate residential IP addresses. This allows bypassing geolocation restrictions and fraud detection systems during malicious activities such as account takeovers and transaction fraud. Mirax uses Golden Encryption for obfuscation and abuses Accessibility Services to maintain persistence. Indicators include domains and URLs such as ilovepng.info and descarga-smtr.net. There is no known patch or official remediation at this time.
Potential Impact
The malware compromises Android devices by enabling attackers to remotely control them and capture sensitive input via keylogging. The SOCKS5 residential proxy feature allows attackers to route malicious traffic through infected devices, effectively masking their origin and bypassing geolocation and fraud detection controls. This facilitates account takeovers and transaction fraud, increasing the risk of financial and data loss for victims. The infection scale (over 200,000 accounts) indicates significant potential impact, especially in targeted Spanish-speaking European regions.
Mitigation Recommendations
No official patch or remediation guidance is currently available from the vendor or authoritative sources. Organizations and users should monitor for updates from trusted security advisories. Given the malware’s distribution via Meta advertisements and GitHub-hosted droppers, caution is advised when interacting with unsolicited ads or downloading apps from untrusted sources. Employing mobile security solutions capable of detecting RAT behavior and restricting Accessibility Service abuse may help mitigate infection risk. Patch status is not yet confirmed — check vendor advisories for current remediation guidance.
Indicators of Compromise
- url: http://ilovepng.info:8443/control
- url: http://ilovepng.info:8444/data
- domain: descarga-smtr.net
- domain: ilovepng.info
A new Android RAT turning infected devices into potential residential proxy nodes
Description
Mirax is an Android Remote Access Trojan (RAT) distributed as Malware-as-a-Service, primarily targeting European users in Spanish-speaking regions. It spreads via Meta advertisements and GitHub-hosted droppers, affecting over 200,000 accounts. The malware features advanced capabilities such as dynamically fetched HTML overlays, keylogging, remote device control, and notably, the ability to convert infected devices into SOCKS5 residential proxy nodes. This proxy functionality enables attackers to route traffic through legitimate residential IPs, facilitating evasion of geolocation restrictions and fraud detection during account takeovers and transaction fraud. Mirax uses commercial-grade obfuscation and maintains persistence through abuse of Android Accessibility Services. No official patch or remediation guidance is currently available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Mirax is a newly identified Android RAT operating as Malware-as-a-Service, targeting European Spanish-speaking users. It is distributed through Meta advertisements and GitHub droppers, with over 200,000 infected devices reported. The malware employs sophisticated techniques including HTML overlays, comprehensive keylogging, and remote control. A unique feature is its integration of SOCKS5-based residential proxy functionality, turning infected devices into proxy nodes to route attacker traffic through legitimate residential IP addresses. This allows bypassing geolocation restrictions and fraud detection systems during malicious activities such as account takeovers and transaction fraud. Mirax uses Golden Encryption for obfuscation and abuses Accessibility Services to maintain persistence. Indicators include domains and URLs such as ilovepng.info and descarga-smtr.net. There is no known patch or official remediation at this time.
Potential Impact
The malware compromises Android devices by enabling attackers to remotely control them and capture sensitive input via keylogging. The SOCKS5 residential proxy feature allows attackers to route malicious traffic through infected devices, effectively masking their origin and bypassing geolocation and fraud detection controls. This facilitates account takeovers and transaction fraud, increasing the risk of financial and data loss for victims. The infection scale (over 200,000 accounts) indicates significant potential impact, especially in targeted Spanish-speaking European regions.
Mitigation Recommendations
No official patch or remediation guidance is currently available from the vendor or authoritative sources. Organizations and users should monitor for updates from trusted security advisories. Given the malware’s distribution via Meta advertisements and GitHub-hosted droppers, caution is advised when interacting with unsolicited ads or downloading apps from untrusted sources. Employing mobile security solutions capable of detecting RAT behavior and restricting Accessibility Service abuse may help mitigate infection risk. Patch status is not yet confirmed — check vendor advisories for current remediation guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes"]
- Adversary
- null
- Pulse Id
- 69dcfd5f0b3e3ab70a58831d
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://ilovepng.info:8443/control | — | |
urlhttp://ilovepng.info:8444/data | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaindescarga-smtr.net | — | |
domainilovepng.info | — |
Threat ID: 69dd01db82d89c981ff9dd2a
Added to database: 4/13/2026, 2:46:51 PM
Last enriched: 4/13/2026, 3:01:54 PM
Last updated: 4/14/2026, 10:09:30 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.