Shadow Networks: How Mirax RAT Hijacks European Android Devices for Cybercrime

On a quiet evening, thousands of Android users across Europe might have unknowingly become foot soldiers in a sprawling cybercrime operation. The culprit? Mirax RAT - a stealthy, adaptable malware that’s rewriting the rulebook for mobile threats. Promoted in the darkest corners of the web and distributed with surgical precision, Mirax is not just after your data - it wants your device itself, transforming it into a hidden tool for the cyber underground.

First spotted in underground forums in late 2025, Mirax has quickly evolved into a favored tool among a small, exclusive circle of Russian-speaking threat actors. Unlike typical one-off malware, Mirax operates as malware-as-a-service (MaaS), offering tiered subscription plans and regular updates to its affiliates. This business model ensures the threat remains fresh, agile, and widely distributed - yet hard to trace.

The infection chain begins with ads placed on Facebook, Instagram, and Messenger, luring users with promises of free IPTV streaming apps. Once a user clicks through, they are redirected to GitHub-hosted droppers - malicious installers masquerading as legitimate apps. Because these apps aren’t found on Google Play, victims must enable installation from unknown sources, unwittingly lowering their defenses.

Mirax’s technical sophistication is evident in its multi-layered obfuscation. Its payload is hidden within an encrypted Dalvik Executable (DEX) file, shielded by Golden Encryption and further protected by the RC4 cipher. Upon installation, the malware decrypts itself, slipping past traditional security checks.

Once embedded, Mirax grants attackers full remote access: they can watch the screen in real time, harvest credentials through overlay attacks, exfiltrate photos and texts, and even manipulate installed apps. But what sets Mirax apart is its ability to turn infected devices into residential proxy nodes using a SOCKS5 proxy layered over multiplexed WebSocket connections. This means every compromised phone can serve as a relay, disguising the origin of cybercriminal activity and making it harder for law enforcement to trace attacks.

While researchers have yet to observe this proxy feature in active use, its presence signals a worrying trend: mobile malware is no longer just about stealing data, but about weaponizing everyday devices for broader criminal operations. Financial institutions and high-value targets, in particular, may soon find themselves facing attacks that are harder to detect and attribute than ever before.

Mirax RAT’s emergence is a wake-up call for Android users and security professionals alike. As cybercriminals innovate, blending data theft with infrastructure hijacking, vigilance and robust mobile hygiene are more critical than ever. The next time an enticing app ad flashes on your screen, remember: in the world of mobile security, trust is a commodity in short supply.

WIKICROOK

• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
• SOCKS5 Proxy: A SOCKS5 proxy routes your internet traffic through a remote server, hiding your IP address and enhancing online privacy and access flexibility.
• APK Sideloading: APK sideloading is installing Android apps from sources other than Google Play Store, which can pose security risks if apps are not from trusted sources.
• Dalvik Executable (DEX): A Dalvik Executable (DEX) file holds Android app code. It's crucial for running, analyzing, and securing applications on Android devices.