SYMBOLCOMMON_NAMEaka. SYNONYMS
apk.mirax (Back to overview)

Mirax

aka: MiraxRAT, Mirax Bot

Mirax is an Android RAT / banking trojan sold as a private Malware-as-a-Service since December 2025 by an actor using the moniker "Mirax Bot", advertised only to a small pool of predominantly Russian-speaking affiliates. It combines a conventional banking-trojan stack — HTML/JavaScript overlay injection against banking and cryptocurrency apps, Accessibility-Services abuse, HVNC, keylogging, SMS interception, and lock-screen (PIN / pattern / biometric) intelligence harvesting — with an integrated SOCKS5 residential-proxy module multiplexed with Yamux over the WebSocket C2 channel, which turns infected handsets into residential-IP proxy nodes for follow-on fraud. C2 traffic is routed through a C2 Gate server on three concurrent WebSocket channels (control on 8443, data/streaming on 8444, proxy tunnel on 8445). Observed campaigns rely on paid Meta ads impersonating IPTV and illegal sports-streaming apps that redirect to droppers hosted on GitHub Releases with daily-rotating hashes; the analysed campaign targeted Spanish-speaking users (Spain) and reached more than 220,000 accounts, though the platform's overlay inventory includes templates for German, French, Italian, Polish, Portuguese, and other European languages.

References
2026-04-13CleafyCleafy
Mirax: a new Android RAT turning infected devices into potential residential proxy nodes
Mirax

There is no Yara-Signature yet.