Mirax
Intelligence Profile
Mirax is an Android RAT / banking trojan sold as a private Malware-as-a-Service since December 2025 by an actor using the moniker "Mirax Bot", advertised only to a small pool of predominantly Russian-speaking affiliates. It combines a conventional banking-trojan stack — HTML/JavaScript overlay injection against banking and cryptocurrency apps, Accessibility-Services abuse, HVNC, keylogging, SMS interception, and lock-screen (PIN / pattern / biometric) intelligence harvesting — with an integrated SOCKS5 residential-proxy module multiplexed with Yamux over the WebSocket C2 channel, which turns infected handsets into residential-IP proxy nodes for follow-on fraud. C2 traffic is routed through a C2 Gate server on three concurrent WebSocket channels (control on 8443, data/streaming on 8444, proxy tunnel on 8445). Observed campaigns rely on paid Meta ads impersonating IPTV and illegal sports-streaming apps that redirect to droppers hosted on GitHub Releases with daily-rotating hashes; the analysed campaign targeted Spanish-speaking users (Spain) and reached more than 220,000 accounts, though the platform's overlay inventory includes templates for German, French, Italian, Polish, Portuguese, and other European languages.
Threat Analysis
Mirax is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.
Financially motivated threat actors like Mirax prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.
With high sophistication, Mirax is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.