A new Android RAT turning infected devices into potential residential proxy nodes

April 13, 2026, 2:47 p.m.

Description

Mirax is a newly identified Android Remote Access Trojan operating as Malware-as-a-Service, actively targeting European users, particularly in Spanish-speaking regions. Distributed through Meta advertisements and GitHub-hosted droppers, the malware has reached over 200,000 accounts. It employs sophisticated techniques including dynamically fetched HTML overlays, comprehensive keylogging, and remote device control capabilities. A distinctive feature is its integration of SOCKS5-based residential proxy functionality, transforming infected devices into proxy nodes that enable attackers to route traffic through legitimate residential IP addresses. This capability allows operators to bypass geolocation restrictions and evade fraud detection systems while conducting account takeovers and transaction fraud. The malware uses commercial-grade obfuscation through Golden Encryption and establishes persistence through Accessibility Service abuse.

External References

https://otx.alienvault.com/pulse/69dcfd5f0b3e3ab70a58831d
https://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes
Tags
rat
android
banking trojan
teabot
socks5
residential proxy
albiriox
2026-04-13
html overlay
meta advertisements
mirax
spanish targets

Date

  • Created: April 13, 2026, 2:27 p.m.
  • Published: April 13, 2026, 2:27 p.m.
  • Modified: April 13, 2026, 2:47 p.m.

Indicators

  • http://ilovepng.info:8443/control
  • http://ilovepng.info:8444/data
Download all indicators here!

Attack Patterns

  • Albiriox
  • TeaBot
  • Mirax

Additional Informations

  • Finance
  • ilovepng.info
  • descarga-smtr.net
  • Spain