Back to News
Cyber Attack

Mirax Android RAT Turns Phones into SOCKS5 Proxies Through Meta Ads

CyberSecurityWaala 1 week ago Apr 14, 2026
Mirax Android RAT Turns Phones into SOCKS5 Proxies Through Meta Ads

Mirax Android RAT Turns Phones into SOCKS5 Proxies Through Meta Ads

A new Android remote access trojan called Mirax is turning infected phones into proxy nodes. Cleafy, an Italian online fraud prevention firm, said Mirax combines standard RAT features with SOCKS5 proxy capabilities. The result is a more versatile threat for fraud and surveillance.

What researchers found

Cleafy said, “Mirax integrates advanced Remote Access Trojan (RAT) capabilities, allowing threat actors to fully interact with compromised devices in real-time.” The firm added that Mirax can also convert devices into residential proxy nodes by using SOCKS5 and Yamux multiplexing. That lets attackers route traffic through a victim’s real IP address.

Outpost24’s KrakenLabs also investigated Mirax. KrakenLabs reported that a threat actor calling themselves ‘Mirax Bot’ is advertising a malware-as-a-service offering on underground forums. Outpost24 said the service costs about $2,500 for a three-month subscription and that a cheaper, limited variant is available for $1,750 per month.

How the campaign spreads

Researchers found attackers used paid ads on Meta to push malicious dropper pages. Cleafy said the campaign reached more than 220,000 accounts across Facebook, Instagram, Messenger, and Threads. One ad that started on April 6, 2026, had a reach of 190,987 accounts, Cleafy reported.

The ads promoted fake streaming apps. The dropper pages check for mobile browsers and try to block automated scans. Cleafy listed the malicious app names as StreamTV and Reproductor de video, and said the APKs were hosted on GitHub. The builder panel for Mirax offers options to package payloads with crypters such as Virbox and Golden Crypt, Cleafy said.

What Mirax can do on a device

Once installed, Mirax poses as a video player. It asks victims to enable installation from unknown sources and to grant accessibility permissions. Cleafy said the malware then runs in the background, shows fake errors, and displays overlays to hide its activities.

The RAT can take screenshots, capture keystrokes, steal photos, log calls, run commands, and monitor user activity. Cleafy said Mirax can dynamically fetch HTML overlay pages from a command-and-control server to phish credentials inside real apps.

On top of those features, Mirax sets up multiple bidirectional C2 channels. Cleafy described the channels as:

  • WebSocket on port 8443 for remote access and commands.
  • WebSocket on port 8444 for streaming and data exfiltration.
  • WebSocket on port 8445 or a custom port to create a SOCKS5 residential proxy.

Why the proxy feature matters

Cleafy highlighted that integrating a SOCKS proxy with a RAT is unusual. “This convergence of RAT and proxy capabilities reflects a broader shift in the threat landscape,” the firm said. Historically, attackers used compromised IoT devices or cheap Android hardware to run proxy farms. Mirax brings that function into a full-featured mobile RAT, increasing the value of each infection.

That value translates into multiple criminal uses,