**Cleafy**, an Italian online fraud prevention firm, has identified **Mirax** as integrating advanced RAT capabilities, granting threat actors real-time interaction with compromised devices. Beyond typical RAT functions, Mirax enhances its value by transforming infected devices into residential proxy nodes, leveraging SOCKS5 protocol support and Yamux multiplexing for persistent proxy channels. ### Mirax: A Malware-as-a-Service Offering Details of Mirax surfaced last month when **Outpost24**'s KrakenLabs reported that a threat actor, “Mirax Bot,” was advertising a private malware-as-a-service (MaaS) offering on underground forums. The full package costs $2,500 for a three-month subscription, while a lightweight variant, lacking proxy features and Google Play Protect bypass capabilities via a crypter, is available for $1,750 per month. Like other Android malware, Mirax captures keystrokes, steals photos, gathers lock screen details, executes commands, navigates the UI, and monitors user activity. It dynamically fetches HTML overlay pages from a command-and-control (C2) server for credential theft. ### Residential Proxy Functionality The incorporation of a SOCKS proxy distinguishes Mirax from conventional RATs. This proxy botnet allows threat actors to bypass geolocation-based restrictions, evade fraud detection systems, and conduct account takeovers or transaction fraud under the guise of anonymity. "Unlike typical MaaS offerings, Mirax is distributed through a highly controlled and exclusive model, limited to a small number of affiliates," **Cleafy** researchers noted. Access is prioritized for Russian-speaking actors with established reputations, indicating a deliberate effort to maintain operational security. ### Distribution via Meta Ads Attack chains distributing the malware use **Meta** ads to promote dropper app web pages, tricking users into downloading them. Up to six ads have been observed, often promoting a streaming service with free access to live sports and movies. Five ads targeted users in Spain. One ad, running since April 6, 2026, reached over 190,000 accounts.  The dropper app URLs implement checks to ensure access from mobile devices and prevent automated scans. Examples of malicious apps include: * StreamTV (org.lgvvfj.pluscqpuj or org.dawme.secure5ny) - Dropper app * Reproductor de video (org.yjeiwd.plusdc71 or org.azgaw.managergst1d) - Mirax A notable aspect is the use of **GitHub** to host the malicious dropper APK files. The builder panel allows selection between two crypters – Virbox and **Golden Crypt** (aka Golden Encryption) – for enhanced APK protection. ### Infection Process Once installed, the dropper instructs users to allow installation from unknown sources. The extraction process is a multi-stage operation designed to evade security analysis and sandboxing tools. The malware masquerades as a video playback utility, prompting users to enable accessibility services. It runs in the background, displays a fake error message, and serves bogus overlays to conceal malicious activities. It establishes multiple bidirectional C2 channels: * WebSocket on port 8443: Remote access and command execution. * WebSocket on port 8444: Remote streaming and data exfiltration. * WebSocket on port 8445 (or a custom port): Residential proxy setup using SOCKS5. "This convergence of RAT and proxy capabilities reflects a broader shift in the threat landscape," **Cleafy** stated. "While residential proxy abuse has historically been associated with compromised IoT devices, Mirax marks a new phase by embedding this functionality within a full-featured banking trojan." ### ASO RAT: Another Android Threat Separately, Breakglass Intelligence detailed an Arabic-language Android RAT called ASO RAT, distributed via apps disguised as PDF readers and Syrian government applications. "The platform provides full device compromise capabilities – SMS interception, camera access, GPS tracking, call logging, file exfiltration, and DDoS launching from victim devices," the company said. "A multi-user panel with role-based access control suggests this operates as a RAT-as-a-Service or supports a multi-operator team." Syria-themed lures (e.g., SyriaDefenseMap and GovLens) suggest targeting individuals interested in Syrian military or governance matters, potentially as part of a surveillance operation.