Mirax RAT Analysis: Android Devices Targeted for Proxy Node Abuse

Overview of the Mirax RAT Campaign

A new campaign involving the Mirax Remote Access Trojan (RAT) is currently targeting Android users across Europe. According to SecurityWeek, this malware is being distributed through a Malware-as-a-Service (MaaS) model, specifically catering to a limited circle of affiliates. Most of these affiliates are identified as Russian speakers, suggesting a targeted or restricted distribution network rather than a widespread, indiscriminate campaign.

The primary objective of the Mirax RAT appears to be the silent co-opting of mobile hardware to facilitate secondary cybercriminal activities. While traditional RATs often focus on data exfiltration or financial theft, Mirax distinguishes itself by turning infected Android handsets into residential proxy nodes. This capability allows threat actors to route malicious traffic through legitimate consumer IP addresses, effectively masking their origin and complicating the efforts of security teams to distinguish between legitimate user traffic and malicious automation.

Technical Analysis: Turning Android Devices Into Proxies

The most significant technical feature of Mirax is its proxy-as-a-service functionality. By converting an infected device into a residential proxy, the attackers can sell access to the device’s internet connection on the dark web. This is a lucrative TTP because residential IPs are less likely to be blacklisted by web application firewalls and fraud detection systems compared to data center IPs.

When a device is compromised, it establishes a connection to a C2 server. This persistent connection allows the operator to tunnel traffic through the mobile device’s cellular or Wi-Fi connection. For the end-user, the only visible IoC might be increased data usage, battery drain, or a slight degradation in network performance. However, for a corporate SOC, the implications are severe: an employee’s mobile device could be used to launch attacks against other organizations, leading to potential legal and reputational risks for the employer.

How to Detect Mirax RAT Android Infection in Corporate Environments

To identify potential infections, security teams should monitor for unusual network behavior originating from mobile endpoints. Because Mirax operates as a proxy, it will likely maintain long-lived connections to unknown or suspicious C2 infrastructures. Integrating mobile telemetry into a SIEM can provide the visibility needed to identify these persistent outbound connections.

Defenders should look for high-volume data transfers occurring during off-hours, which may indicate the device is being used as a relay for external traffic. Furthermore, since the malware is typically delivered via Phishing or social engineering, analyzing the installation source of APK files is a critical step in the detection process. Advanced EDR solutions for mobile, often referred to as Mobile Threat Defense (MTD), can flag the suspicious permissions required by Mirax to maintain its persistent proxy state.

Strategic Implications of Android Malware-as-a-Service

The rise of Android malware-as-a-service targeting European users signals a shift in the mobile threat landscape. By lowering the barrier to entry for Russian-speaking affiliates, the developers of Mirax are enabling a broader range of low-to-mid-level threat actors to engage in sophisticated proxy-based attacks. This modular approach to malware development allows the core authors to focus on maintaining the infrastructure while affiliates handle the distribution and exploitation phases.

For organizations with a significant mobile workforce in Europe, this threat necessitates a review of mobile security policies. The reliance on residential proxies by threat actors is a direct response to the industry’s success in blocking known malicious IP ranges. As attackers adapt, defenders must move beyond IP-based filtering and toward behavioral analysis and identity-centric security models.

Recommended Mitigations and Defensive Actions

To combat the Mirax RAT and similar mobile threats, organizations should implement the following Mirax RAT mitigation steps for mobile security:

• Restrict Sideloading: Enforce policies via Mobile Device Management (MDM) that prevent users from installing applications from unknown sources or third-party app stores.
• Implement Mobile Threat Defense: Use specialized security software on mobile endpoints that can scan for malicious signatures and monitor for suspicious system-level changes.
• Network Segmentation: Ensure that mobile devices, particularly those used for personal tasks (BYOD), are segmented from critical corporate infrastructure to prevent potential Lateral Movement should a device be used as a proxy node.
• User Awareness Training: Educate employees on the dangers of mobile-centric Phishing campaigns, which often utilize SMS (smishing) or messaging apps to deliver malicious links.
• Monitor Data Usage: Encourage users to report unexplained spikes in data consumption or significant battery performance issues, as these are often the first signs of a background RAT operation.