{
	"id": "ea092972-a585-43f4-a370-fa82b4abb41f",
	"created_at": "2026-04-23T02:54:21.198757Z",
	"updated_at": "2026-04-25T02:18:56.813611Z",
	"deleted_at": null,
	"sha1_hash": "75c1aebf35288201ca32db8352278e9b94e5c353",
	"title": "Mirax: a new Android RAT turning infected devices into potential residential proxy nodes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6205949,
	"plain_text": "Mirax: a new Android RAT turning infected devices into potential\r\nresidential proxy nodes\r\nBy Alessandro Strino, Federico Valentini\r\nArchived: 2026-04-23 02:27:34 UTC\r\nKey Points\r\nNew Maas spreading: Mirax has emerged as a sophisticated Malware-as-a-Service (MaaS) offering,\r\nspecifically targeting Android devices across Europe. It is actively marketed and distributed through\r\nunderground malware forums. At the time of writing, Cleafy Threat Intelligence Team has seen multiple\r\ncampaigns targeting Spanish-speaking countries and reaching over 200.000 accounts through Meta\r\nadvertisements.\r\nRemote Access functionalities \u0026 Dynamic HTML Overlays: Mirax integrates advanced Remote Access\r\nTrojan (RAT) capabilities, allowing threat actors to fully interact with compromised devices in real time.\r\nThis includes executing commands, navigating the user interface, and monitoring activity. A key feature is\r\nits use of dynamically fetched HTML overlays from its command-and-control (C2) infrastructure, which\r\nare rendered over legitimate applications.\r\nExpanding RAT with Residential Proxy: Beyond traditional RAT behavior, Mirax enhances its\r\noperational value by turning infected devices into residential proxy nodes. Leveraging SOCKS5 protocol\r\nsupport and Yamux multiplexing, it establishes persistent proxy channels that allow attackers to route their\r\ntraffic through the victim’s real IP address. This capability enables operators to bypass geolocation-based\r\nrestrictions, evade fraud detection systems, and conduct malicious activities (such as account takeovers or\r\ntransaction fraud) with increased anonymity and legitimacy.\r\nKeylogging \u0026  Keyguard exfiltration: Mirax incorporates comprehensive surveillance features, including\r\ncontinuous keylogging to capture all user input across applications. In addition, it gathers detailed\r\ninformation about the device’s keyguard (lock screen), including PIN length, pattern structure, and\r\nbiometric usage.\r\nExecutive Summary\r\nMirax is a newly identified Android Remote Access Trojan (RAT) and banking malware that has rapidly gained\r\ntraction within the cybercriminal ecosystem. Publicly promoted on underground forums since December 19, 2025,\r\nit has been actively monitored by the Cleafy Threat Intelligence team since March 2026, when multiple\r\ncampaigns targeting primarily Spanish-speaking regions were observed. Unlike typical MaaS offerings,\r\nMirax is distributed through a highly controlled and exclusive model, limited to a small number of affiliates.\r\nAccess appears to be prioritized for Russian-speaking actors with established reputations in underground\r\ncommunities, indicating a deliberate effort to maintain operational security and campaign effectiveness.\r\nFrom a capability standpoint, Mirax represents a significant evolution beyond traditional Android banking trojans.\r\nWhile retaining core RAT functionalities, it introduces a more structured, commercially driven “business model”\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 1 of 23\n\nfeaturing tiered subscription plans and ongoing feature development. One of its most notable innovations is the\r\nintegration of SOCKS-based residential proxy functionality directly into the malware. This allows infected\r\ndevices to be repurposed as proxy nodes, enabling threat actors to route malicious traffic through legitimate\r\nresidential IP addresses and thereby evade geolocation restrictions and fraud detection mechanisms.\r\nThis convergence of RAT and proxy capabilities reflects a broader shift in the threat landscape. While residential\r\nproxy abuse has historically been associated with compromised IoT devices and low-cost Android hardware such\r\nas smart TVs, Mirax marks a new phase by embedding this functionality within a full-featured banking\r\ntrojan. This approach not only increases the monetization potential of each infection but also expands the\r\noperational scope of attackers, who can now leverage compromised devices for both direct financial fraud and as\r\ninfrastructure for wider cybercriminal activities.\r\nHow Mirax is Distributed\r\nMirax distribution consists of multiple stages that reveal an interesting trend followed by other affiliates and threat\r\nactors. The dropper pages are promoted through Meta Advertisement. The victims are lured to click ads appearing\r\non their social media applications (Facebook, Instagram, Messenger, Threads, …) and to download the malicious\r\ndropper. All the URLs implement multiple checks to verify that they are accessed from mobile devices, to prevent\r\nautomated scans from revealing their nature. The droppers are hosted using GitHub releases, with different backup\r\nlinks and daily package updates. Upon successful installation, the dropper unpacks itself and installs the malicious\r\npayload. It leverages commercial-grade obfuscation via Golden Encryption (aka GoldCrypt) and starts operating\r\nvia WebSockets.\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 2 of 23\n\nFigure 1 - Mirax attack chain overview\r\nThe delivery websites are promoted through Meta Ads (Facebook and Instagram). This distribution vector has\r\nbecome a common choice for Android banking trojans, enabling threat actors to reach a large audience quickly\r\nand with less effort. Furthermore, the choice of decoy, an illegal sports streaming application, reveals a clear\r\nunderstanding of the target demographic: since these apps are not available on the Google Play Store, users are\r\nalready conditioned to sideload APKs from unknown sources, which makes social engineering much easier.\r\nThe dropper is distributed via phishing websites claiming to offer IPTV application services. Downloads are\r\nrestricted to mobile devices, enforced by checking specific HTTP headers and parameters.\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 3 of 23\n\nFigure 2 - Device checks on installation\r\nThe analysis showed that the ADs had collectively reached more than 200,000 accounts, as reported in the next\r\nFigure:\r\nFigure 3 - Meta Advertisement reach\r\nOne interesting aspect of this delivery campaign is the abuse of GitHub for hosting the dropper applications.\r\nThe affiliates leverage the Releases page to distribute and update their applications. Notably, new updates are\r\npushed to pre-existing releases rather than creating new ones, likely as an evasion technique to hinder automated\r\ncrawlers from easily retrieving fresh samples. The analysis revealed that while the samples' hashes changed daily,\r\nthe application content remained unchanged, suggesting automated repacking or signature rotation to evade hash-based detection. Over the observed period, the Releases page contained multiple applications, starting with five\r\nand growing to over ten as the campaign matured.\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 4 of 23\n\nFigure 4 - GitHub releases pages\r\nAdditional campaigns were observed leveraging different decoy themes, including IoT utilities and NSFW\r\napplications. However, the sports streaming campaign analyzed in this report provided the most comprehensive\r\nset of indicators and operational insights.\r\nTechnical Analysis\r\nBuilder Configuration\r\nMirax's installation procedure is quite common in modern Android malware: it follows a two-stage process and\r\nuses a dropper to hide the actual malware and its aggressive permissions requests. Thanks to the documentation\r\nreleased by the malware developers, it was possible to confirm the infection chain. In the malware documentation,\r\nthey provided multiple screenshots that describe the builder's features, specify the different options for the\r\ndropper, and show the final implant. Please note that some of the following screenshots are taken directly from the\r\nmalware documentation page.\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 5 of 23\n\nFigure 5 - Builder features\r\nOne interesting section of the documentation explains the different packer options that the builder offers: Virbox\r\nand Golden Encryption. While the former is easy to detect thanks to multiple indicators in the code, Golden\r\nEncryption (also known as Golden Crypt) is not well documented but is widely used and promoted on\r\nunderground malware forums. This packer was also used in Albiriox, and the Cleafy team noted that the samples\r\nanalyzed in this campaign follow the same unpacking patterns. Although this information could not be confirmed\r\nwith full certainty, it can be reasonably assumed that the packer detailed below is Golden Crypt. The analysis will\r\ncontain a description of this packer and its indicators.\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 6 of 23\n\nFigure 6 - Mirax packers\r\nMoreover, the image below shows a section of the builder, confirming that the malware loads a WebView with a\r\ncustom HTML page when Accessibility Services have been granted, as observed during analysis.\r\nFigure 7 - Launch section of the builder\r\nCode Analysis\r\nMirax implements a multi-step unpacking flow that attempts to hide malicious code via .dex dynamic loading and\r\nobfuscation. The packer used in the samples analyzed can be attributed to GoldCrypt, based on information\r\nprovided by the malware developers and on similarities with other families that use the same techniques.\r\nThe dropper disguises itself as an IPTV application. The application requires the user to enable installation from\r\nUnknown Sources to install the final implant. This page is loaded in a WebView, as reported in the following\r\nFigure.\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 7 of 23\n\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 8 of 23\n\nFigure 8 - Front door page of the dropper\r\nThe extraction of the final malware payload is a sophisticated, multi-stage operation engineered specifically to\r\nbypass conventional security analysis and automated sandboxing tools.\r\nThe dropper Android Package (APK) does not contain the malicious code in the code section. Instead, it holds an\r\nencrypted Dalvik Executable (.dex) file. The payload is hidden inside a file with a valid asset extension, loaded,\r\nand decrypted using RC4 and a hardcoded key.\r\nFigure 9 - Decryption logic\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 9 of 23\n\nThis encapsulated file is strategically buried deep within the APK's directory structure. A key component of the\r\nevasion technique is the use of an obfuscated, deeply nested folder path whose names contain uncommon\r\ncharacters. This specific technique aims to confound static analysis tools, making the encrypted payload difficult\r\nto locate and extract.\r\nThe extraction process is initiated upon the application's execution. The dropper application component is\r\nprogrammed to locate the encrypted .dex file from its hidden location within the obscure folder structure. Once\r\nlocated, the file is extracted from the APK container and prepared for decryption.\r\nThe core decryption mechanism uses the RC4 stream cipher. The cryptographic key is embedded directly within\r\nthe application's class. The extracted and encrypted .dex file is fed through the RC4 routine using this embedded\r\nkey, resulting in the plain-text, fully functional final .dex payload.\r\nAfter successful decryption, the malicious .dex file contains the complete set of instructions to extract and install\r\nthe final .apk file, contained in the res/raw/ folder. This file is encrypted using XOR with a hardcoded key in\r\nBuildConfig; the dropper decrypts the payload and proceeds with the installation. The malware developers claim\r\nthat the final APK (the implant) may also be delivered from a remote server. This is also confirmed by the\r\napplication's code: the configuration file contains a variable called IMPLANT_DOWNLOAD_URL that may\r\ncontain this information. In the campaigns analyzed, this functionality was not active, and the implant was\r\nembedded inside the dropper application.\r\nFigure 10 - XOR decryption key\r\nWhen the malware is installed, it masquerades as a video playback utility and prompts the user to enable\r\nAccessibility Settings.\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 10 of 23\n\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 11 of 23\n\nFigure 11 - Malware entry point\r\nThe malware extraction uses the same packing technique as the dropper (.dex extraction and decryption). When\r\nAccessibility services are enabled, the malware starts running in the background and displays a custom HTML\r\npage to the user, indicating that installation was not successful. Moreover, it leverages black overlays to disable\r\nsecurity features and establish persistence.\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 12 of 23\n\nFigure 12 - HTML pages and overlay\r\nMirax RAT Functionalities\r\nBy analyzing the malware's source code and available documentation, it is possible to identify a list of commands\r\nused to remotely control the device, exfiltrate data, and spy on victims. An overview of the main features is listed\r\nbelow. \r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 13 of 23\n\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 14 of 23\n\nFigure 13 - Remote console commands\r\n1. HTML Overlay Injection / Black Screen Overlay / Notification: One of the malware's core features is\r\nthe ability to inject malicious HTML/JS overlays over legitimate applications to steal credentials and other\r\nsensitive data from users. The malware also allows showing notifications coming from specific app\r\npackages.\r\n2. Screen Capture \u0026 VNC: These commands allow the attacker to view the screen in real-time and control\r\nthe device remotely.\r\n3. System Navigation \u0026 UI Control: These commands leverage Accessibility Services to perform\r\nnavigation actions on the device.\r\n4. App Management: The malware manages the device's applications, uninstalling those that may detect it or\r\nprevent its uninstallation.\r\n5. Spyware \u0026 Data Exfiltration: The malware's capabilities include spyware modules that attempt to\r\nexfiltrate text data and camera images from the victim's device.\r\n6. SOCKS5 Proxy: The malware also allows the operator to start a SOCKS5 proxy connection from the\r\ninfected device and transform it into a residential proxy node.\r\nC2 Communication\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 15 of 23\n\nThe malware uses two (or three, if a residential proxy is enabled) distinct WebSocket connections to manage\r\nremote activities and data exfiltration. More specifically:\r\nWebSocket on port 8443, endpoint /control, is used to manage remote access and execute remote\r\ncommands. \r\nWebSocket on port 8444 endpoint /data, is used to manage remote streaming and data exfiltration.\r\nWebSocket on port 8445 (or custom) endpoint /tunnel (or custom), is used to set up the residential proxy\r\nusing SOCKS5. This connection is made directly to a specific relay server owned by the operators.\r\nThe malware's documentation explicitly states that it uses a C2 Gate server, acting as a proxy between infected\r\ndevices and the affiliates' true C2 servers. As a result, all the analyzed samples from the campaign contact the\r\nsame domain, and the gate server can then redirect traffic accordingly.\r\nC2 communication via websockets is bidirectional: the target phone periodically sends information about the\r\ndevice's status and the installed malware. The server, on the other hand, can push various commands to activate\r\nfunctionalities, retrieve specific information, or load different configurations. For example, the server can push\r\nnew HTML templates based on the installed applications and start collecting passwords and app PINs. This\r\nbehavior makes it difficult to retrieve the complete list of all the target applications. Nevertheless, based on the\r\nserver response, the total number of targeted applications is 182 (and growing over time). It was possible to\r\nretrieve HTML overlays for multiple Spanish banking applications and Crypto applications. The list is included in\r\nthe Appendix.\r\n{\r\n\"type\":\"installed_apps_response\",\r\n\"commandId\":\"getInstalledApps_1773840323864_y2smk1x64\",\r\n\"timestamp\":1773840331121,\r\n\"success\":true,\r\n\"total_apps_count\":182,\r\n\"launcher_apps_detected\":21,\r\n\"returned_apps_count\":21,\r\n\"user_apps_count\":5,\r\n\"system_apps_count\":16,\r\n\"filtered_apps_count\":0,\r\n\"apps\":[{\"app_name\":\r\n...\r\n],\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 16 of 23\n\n...\r\n}\r\nThe malware supports multiple languages, but the developers explicitly state that this Trojan is incompatible with\r\nCIS countries due to app restrictions that prevent it from functioning correctly. The campaign analyzed in this\r\narticle targets Spanish-speaking individuals. By analyzing the reach of the Meta ads, the sole target country\r\nappears to be Spain, but this RAT is rapidly expanding, and future campaigns may target other countries. The list\r\nof available languages is shown in the Appendix.\r\nResidential Proxy Capabilities within a RAT\r\nDuring the analysis of the malware, the developers’ communication channel (Telegram channel) guided the\r\ninvestigation and provided useful information regarding the updates and improvements made to Mirax. An update\r\nto the software introduced new capabilities, accompanied by a revised pricing structure. Notably, one of the most\r\npeculiar new features allows the creation of a SOCKS5 proxy that routes traffic from the compromised device to a\r\ndesignated server. Moreover, they used a custom implementation of Yamux multiplexing over the WebSocket-based channel, allowing multiple connections through a single channel. As a result, the malware operator would\r\nhave been able to establish a residential proxy connection between the phone and their server, and use it to spoof\r\ntheir IP addresses, masking their malicious activities and expanding the attack surface to targets beyond the\r\nmobile device.\r\nFigure 14 - Residential proxy classes\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 17 of 23\n\nThe phenomenon of residential proxies has gotten more attention recently (Google, Trendmicro, Nokia), thanks to\r\nthe number of IoT devices connected to the internet that could consume network bandwidth and be transformed\r\ninto botnets. The Android ecosystem is particularly susceptible to this type of exploitation due to the large number\r\nof low-cost IoT devices, such as inexpensive Android TVs, that are often sold with lax security protocols. These\r\ndevices are ideal targets for use as residential proxy nodes. Residential proxies can also be embedded via third-party SDKs embedded in pirated software of free VPN applications. An attacker can pay to gain access to these\r\nnodes and use the bandwidth to access the internet from a reputable IP address or, in some cases, exploit the\r\nability to access the local network to discover vulnerable devices connected to it, perform lateral movement, and\r\nexpand their attack surface. \r\nBeyond the rise of residential proxy in the context of IoT devices, the introduction of this functionality into a\r\nmalware RAT like Mirax is a novelty that warrants attention. While the analysis did not reveal any use of this\r\nfunctionality, it is still valuable to consider the motivations behind adding it to a RAT and the implications for\r\nhighly targeted sectors like banks and similar institutions. An attacker who obtains access to the mobile device via\r\na RAT infection could leverage its persistence beyond its well-known functionalities and use it as an exit node to\r\naccess the internet via a reputable IP address, which could lead to multiple attacks, such as password spraying and\r\nDDoS. Another interesting case is when the victim refuses to use Accessibility services but keeps the app\r\ninstalled. In this case, the app still needs to function in the background, but obtaining this permission is easier. In\r\nthis scenario, the attack would not be completely successful, but the operators may still gain some value from it.\r\nConclusions\r\nThe analysis of the Mirax Remote Access Trojan (RAT) highlights several interesting points concerning the\r\nevolution of modern Android malware. The promotion on underground forums shifted from a broad Maas to a\r\n“private MaaS” model, restricting the distribution to trusted parties. As a result, the malware could remain\r\nundercover for a longer period without risking any unwanted leaks.\r\nThe campaign analyzed in this article revealed that threat actors are effectively abusing legitimate platforms to\r\npromote, host, and distribute malware, reaching hundreds of thousands of accounts in a short period of time.\r\nMoreover, these platforms allow malware distributors to continuously push new advertisements without risk of\r\nbeing caught, thanks to multiple header checks that prevent automated services from reaching the true delivery\r\npages and to cycling through multiple samples to bypass hash-based checks.\r\nThe introduction of SOCKS5 and residential proxy functionality into an Android RAT is groundbreaking for\r\nseveral reasons. Firstly, malware developers recognize the profitability of residential proxies, as they can obscure\r\nthe origin IP address, making it appear to originate from legitimate subnets. Furthermore, a residential proxy\r\napplication needs fewer permissions than a Remote Access Trojan (RAT). This reduced requirement allows the\r\nthreat actor to deploy it even if the full infection process is incomplete. Consequently, the actor avoids losing these\r\ndevices entirely and can maintain their inclusion in the botnet.\r\nAppendix - IOCs\r\nAPKs\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 18 of 23\n\nSHA 256 Name Package Description\r\n53de68ebec281e7233bffc52199b22ec2dba\r\n463eec3b29d4c399838e18daecbf\r\nStreamTV org.lgvvfj.pluscqpuj Dropper\r\n88e6e4a5478a3ee7bfdfc5e7614ae6f3f121\r\ne0d470741a9cc84a111fe9b266db\r\nReproductor de\r\nvideo\r\norg.yjeiwd.plusdc71 Malware\r\n759eed82699b86b6a792a63ccc76c2fa5ed\r\n71720b89132abdead9753f5d7bd11\r\nStreamTV org.dawme.secure5ny Dropper\r\n29577570d18409d93fa2517198354716740\r\nb19699eb5392bfaa265f2f6b91896\r\nReproductor de\r\nvideo\r\norg.azgaw.managergst1d Malware\r\nNetwork\r\nIoC Type Description\r\ndescarga-smtr[.]net Domain Delivery Page\r\nilovepng[.]info Domain C2\r\nwss://ilovepng[.]info:8443/control URL C2 real-time commands\r\nwss://ilovepng[.]info:8444/data URL C2 exfiltration\r\nC2 Commands\r\nCommand Description\r\naddExternalHtmlTemplate Adds an external HTML overlay template.\r\naddHtmlInjectionConfig Binds a target package to an HTML overlay.\r\nback Simulates pressing the Back button to navigate to the previous screen.\r\nblackScreen Toggles a \"black screen overlay\" to hide malicious activity from the user.\r\nblackScreen_unlock Removes the black screen overlay and restores normal view.\r\nblackScreen_updating Displays a fake updating message on the black overlay.\r\nblockApp Blocks the user from opening a specific application.\r\ncamera_status Gets the status of the camera.\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 19 of 23\n\nCommand Description\r\ncheckExternalTemplateExists Checks if a template exists locally.\r\ncollectSmsNow Triggers an immediate upload of all stored SMS messages.\r\ndisableHtmlInjection Disables the phishing overlay system.\r\ndisableNeverSleep Restores normal screen timeout behavior.\r\ndisableUninstallProtection Disables the anti-uninstallation protection.\r\nenableHtmlInjection Enables the overlay system for phishing/credential theft.\r\nenableNeverSleep Forces the device screen to stay on indefinitely.\r\nenableUninstallProtection Prevents the user from uninstalling the malware.\r\nforceReconnect Forces the malware to reconnect to its Command \u0026 Control server.\r\ngetBlockedApps Gets the list of blocked applications.\r\ngetAvailableCameras Gets the list of available cameras.\r\ngetCameraStatus Reports whether the camera service is currently active.\r\ngetClipboard Retrieves the current content of the system clipboard.\r\ngetDeviceState Collects system metadata (battery, network, OS version).\r\ngetExternalTemplatesList Gets the list of templates stored in the external memory.\r\ngetExternalTemplatesPath Gets the path of the templates stored in the external memory.\r\ngetHtmlInjectionStatus Gets the status of HTML injection engine.\r\ngetHtmlTemplates Lists available phishing templates stored locally.\r\ngetInstalledApps Retrieves a list of all applications installed on the device.\r\ngetKeyguardInfo Reports the current lock screen configuration (PIN, Pattern).\r\ngetLockStatus Gets the type and status of the device lock screen.\r\ngetPermissions Reports the status of various Android permissions.\r\ngetSmsPermissions Gets the status of SMS permissions.\r\ngetSmsStatus Gets the status of the SMS collection engine.\r\ngetVncScreenSharingStatus Gets the status of the VNC screen sharing engine.\r\nhome Simulates pressing the physical Home button to return to the home screen.\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 20 of 23\n\nCommand Description\r\nlayout_updates_restart Restarts screen update monitoring.\r\nlayout_updates_start Starts sending details of the screen data as JSON to the C2.\r\nlayout_updates_stop Stops sending screen data updates.\r\nlistCameras Lists all camera sensors available on the device.\r\nlockDevice Immediately locks the device screen.\r\nmute Toggles the device audio to mute to hide notification sounds.\r\nopenApp Launches a specific application by its package name.\r\nping Heartbeat mechanism.\r\nrecents Simulates pressing the Recent Apps button to show the app switcher.\r\nremoveExternalHtmlTemplate Removes an HTML template stored in the external memory.\r\nremoveHtmlInjectionConfig Removes a phishing target configuration.\r\nrequestPermission Triggers a system dialog to request a specific permission.\r\nrescanHtmlTemplates Rescans storage for new or manually updated phishing templates.\r\nresetHtmlInjectionCounters Resets the counter of the overlays stored.\r\nresetLockCaptured Restarts the lock screen capturing engine.\r\nsetClipboard Sets the system clipboard with provided text.\r\nsetLockType Sets the type of fake lock screen to show to the victim.\r\nshowNotification Shows a notification.\r\nsocks5_enable Starts/Stops the residential proxy connection.\r\nsocks5_status_request Gets the status of the residential proxy.\r\nstartCamera Activates the background camera to capture photos or video.\r\nstartScreenSharing Starts capturing and streaming the device screen to the C2 server.\r\nstartSmsCollection Starts the service that intercepts and uploads SMS messages.\r\nstartVncScreenSharing Starts a VNC-based interactive screen sharing session.\r\nstopAllScreenSharing Stops all screen sharing (standard and VNC).\r\nstopCamera Deactivates the background camera service.\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 21 of 23\n\nCommand Description\r\nstopScreenSharing Stops the active screen sharing session.\r\nstopSmsCollection Stops the SMS interception service.\r\nstopVncScreenSharing Stops the VNC screen sharing session.\r\nswipe Performs a remote \"swipe\" gesture between two points.\r\nswitchClient\r\ntap Performs a remote \"tap\" gesture at specific (x, y) coordinates.\r\ntestHtmlInjection Manually triggers a phishing overlay for a specific app.\r\nunblockApp Unblocks a previously restricted application.\r\nuninstallPackage Attempts to uninstall a specific app.\r\nunlockDevice Attempts to unlock the device screen using stored or captured credentials.\r\nupdateExternalHtmlTemplate Updates an existing HTML overlay stored in the external memory.\r\nwakeDevice Wakes up the device screen and brings it out of sleep mode.\r\nTarget Countries (Languages)\r\nLanguage\r\n                                                        Chinese                                                          \r\nItalian\r\nGerman\r\nIsraeli\r\nHungarian\r\nJapanese\r\nPolish\r\nPortuguese\r\nSpanish\r\nSlovenian\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 22 of 23\n\nLanguage\r\nFrench\r\nSource: https://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nhttps://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes"
	],
	"report_names": [
		"mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes"
	],
	"threat_actors": [],
	"ts_created_at": 1776912861,
	"ts_updated_at": 1777083536,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/75c1aebf35288201ca32db8352278e9b94e5c353.pdf",
		"text": "https://archive.orkl.eu/75c1aebf35288201ca32db8352278e9b94e5c353.txt",
		"img": "https://archive.orkl.eu/75c1aebf35288201ca32db8352278e9b94e5c353.jpg"
	}
}