Mirax RAT, also tracked as Mirax Bot, is an emerging Android remote access Trojan first spotted in early March 2026 by Outpost24's KrakenLabs. It has targeted users in Spanish-speaking countries and is distributed through fraudulent advertisements on Meta-owned platforms including Facebook, Instagram, Messenger, and Threads. The attack chain uses Meta ads to lure victims to web pages hosting dropper apps, and GitHub has also been used to host malicious APKs. The infection flow is described as a sophisticated multi-stage operation designed for evasion, relying on social engineering to persuade users to allow installation from unknown sources and enable Android accessibility services, while masquerading behind video playback features.
Once installed, Mirax enables real-time interaction with infected Android devices and supports command execution, user activity monitoring, keystroke capture, theft of photos and other data, theft of lock screen details, credential theft via overlays placed over legitimate apps, and fake notifications that appear to come from legitimate applications. It can also convert compromised devices into residential proxy nodes, using SOCKS5 protocol support and Yamux multiplexing to establish proxy channels and expose victims' IP addresses.
Research cited in the content attributes reporting on Mirax to KrakenLabs and Cleafy. KrakenLabs observed Mirax Bot being advertised on illicit forums as a private malware-as-a-service offering. Cleafy assessed the operation as tightly controlled and limited to a small number of affiliates, with access reportedly favoring reputable Russian-speaking cybercriminals. Reported pricing included $2,500 for a three-month subscription, with a lower-feature variant offered at $1,750 per month. The operation also offered crypter options named Virbox and Golden Crypt.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
11 distinct techniques documented for this family, organized by ATT&CK tactic.
The dropper Android Package (APK) does not contain the malicious code in the code section. Instead, it holds an encrypted Dalvik Executable (.dex) file... loaded, and decrypted using RC4 and a hardcoded key.
The payload is hidden inside a file with a valid asset extension, loaded, and decrypted using RC4 and a hardcoded key... This file is encrypted using XOR with a hardcoded key in BuildConfig
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android remote access trojan distributed via fraudulent Meta ads and malicious dropper pages. It captures keystrokes, steals photos and other data including lock screen details, runs commands, monitors user activity, uses overlay pages to steal credentials, and can convert infected devices into residential proxy nodes using SOCKS5 and Yamux-supported proxy channels.
Android remote access trojan distributed via fraudulent Meta ads and malicious dropper pages. It can capture keystrokes, steal photos and other data including lock screen details, run commands, monitor user activity, use overlay pages to steal credentials, and convert infected devices into residential proxy nodes using SOCKS5 and Yamux-supported proxy channels.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.