Back to Intelligence

Mirax Android RAT: Defending Against Meta Ad Campaigns and SOCKS5 Proxy Abuse

SA
Security Arsenal Team
April 14, 2026
5 min read

Security researchers have identified a rapidly evolving threat targeting Android users, specifically within Spanish-speaking demographics. The "Mirax" Remote Access Trojan (RAT) has been disseminated through a large-scale malvertising campaign on Meta platforms (Facebook, Instagram, Messenger, Threads), reaching over 220,000 accounts.

Unlike standard information-stealers, Mirax possesses distinct proxy capabilities, converting compromised Android devices into SOCKS5 nodes. This allows threat actors to route malicious traffic through victim IP addresses, effectively obfuscating their origin and making attribution difficult. For defenders, this represents a dual threat: data exfiltration from the endpoint and reputational/network abuse risk due to proxy exploitation. Immediate action is required to detect infections and block the command-and-control (C2) infrastructure.

Technical Analysis

Affected Products & Platforms:

  • Platform: Android (specific versions not specified in source reports, but generally targets widely used versions).
  • Delivery Vector: Malicious advertisements on Meta platforms redirecting to APK downloads.

CVE Identifiers:

  • N/A (This is a malware campaign relying on social engineering and permissions abuse, not a specific software vulnerability).

Attack Chain & Mechanism:

  1. Initial Access: Users click on fraudulent Meta ads (often masquerading as legitimate utilities or applications).
  2. Execution: User downloads and installs a malicious APK file (likely requiring the user to bypass standard security restrictions like "Install Unknown Apps").
  3. Persistence & C2: The app establishes a connection with the threat actor's C2 server.
  4. Proxy Establishment: The RAT enables a SOCKS5 proxy component on the device, opening a port to accept inbound traffic or routing outbound traffic from the attacker through the device's cellular/Wi-Fi connection.
  5. Real-time Interaction: The RAT allows for full remote interaction (screen viewing, data harvesting).

Exploitation Status:

  • Confirmed Active Exploitation: Yes. Campaigns have reached over 220,000 accounts.

Detection & Response

Detecting Mirax requires correlating mobile endpoint telemetry with network anomalies. Since the malware turns devices into SOCKS5 proxies, defenders should hunt for unexpected inbound connection attempts to mobile devices or high-volume outbound traffic on non-standard proxy ports from mobile subnets.

SIGMA Rules

YAML
---
title: Potential Android SOCKS5 Proxy Activity (Mirax RAT)
id: 8a2b1c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects potential SOCKS5 proxy traffic originating from Android devices, indicative of Mirax RAT or similar mobile proxy malware. Focuses on high-volume connections to non-standard ports.
references:
  - https://thehackernews.com/2026/04/mirax-android-rat-turns-devices-into.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1090.003
logsource:
  category: network_connection
  product: android
detection:
  selection:
    DestinationPort:
      - 1080
      - 1081
      - 1050
  condition: selection
falsepositives:
  - Legitimate VPN or corporate proxy usage from mobile devices
level: high
---
title: Android APK Sideloading from Untrusted Sources
id: 9b3c2d1e-0f1a-2b3c-4d5e-6f7a8b9c0d1e
status: experimental
description: Detects installation of APK files initiated by non-market package installers, a common vector for RATs like Mirax delivered via social engineering ads.
references:
  - https://thehackernews.com/2026/04/mirax-android-rat-turns-devices-into.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
  - attack.mobile_security
logsource:
  category: package_installation
  product: android
detection:
  selection:
    InitiatingPackageName|contains:
      - 'com.android.packageinstaller'
    PackageSource|notcontains:
      - 'com.android.vending' # Google Play Store
  condition: selection
falsepositives:
  - Enterprise MDM app deployment
  - User installing legitimate 3rd party apps (e.g. F-Droid, Amazon Appstore)
level: medium

KQL (Microsoft Sentinel / Defender)

Hunts for Android devices exhibiting network behavior consistent with SOCKS5 proxying or communicating with known suspicious ports associated with proxy tools.

KQL — Microsoft Sentinel / Defender
// Hunt for Android devices connecting to common SOCKS5/Proxy ports
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where DeviceType == "Android"
| where RemotePort in (1080, 1081, 1050, 3128, 8080)
| summarize Count = count(), RemoteIPs = makeset(RemoteIP), Ports = makeset(RemotePort) by DeviceId, DeviceName
| where Count > 10 // Filter out noise, look for persistent/proxy behavior
| extend Alert = "Potential Mobile Proxy Activity Detected"

Velociraptor VQL

Endpoint artifact to hunt for listening sockets on Android/Linux devices that are indicative of a local SOCKS5 proxy server being spun up by the malware.

VQL — Velociraptor
-- Hunt for processes listening on common SOCKS5 proxy ports
SELECT Fqdn, Pid, Name, Username, Family, Address, Port
FROM listen_sockets()
WHERE Port IN (1080, 1081, 1050)
  AND Family =~ "INET"
-- Exclude common system proxies if necessary
AND Name NOT IN ('nginx', 'apache2', 'squid')

Remediation Script (Bash)

This script is intended for analysts managing Linux-based gateways or log aggregators to identify network flows consistent with the Mirax proxy activity (internal mobile IPs reaching out to proxy ports) and to aid in firewall rule generation.

Bash / Shell
#!/bin/bash

# Mirax RAT Proxy Indicator Checker
# Analyzes netflow/syslog for internal IPs connecting to common SOCKS5 ports
# Usage: ./check_proxy_traffic.sh <logfile_path>

LOG_FILE=${1:-"/var/log/syslog"}
COMMON_PROXY_PORTS="1080|1081|1050"

# Output file for suspected indicators
OUTPUT="mirax_suspects_$(date +%Y%m%d).txt"

echo "[*] Scanning $LOG_FILE for connections on ports: $COMMON_PROXY_PORTS"

grep -E "$COMMON_PROXY_PORTS" "$LOG_FILE" | grep -E "PROTO=TCP" | awk '{print $1, $2, $3, $8, $9}' > "$OUTPUT"

if [ -s "$OUTPUT" ]; then
    echo "[+] Potential proxy traffic found. Summary:"
    awk '{print $4}' "$OUTPUT" | sort | uniq -c | sort -nr | head -n 10
    echo "[+] Full details saved to $OUTPUT"
else
    echo "[-] No obvious proxy traffic indicators found in logs."
fi

Remediation

Immediate Actions:

  1. App Removal: Identify infected devices via the detection methods above and uninstall the malicious application immediately.
  2. Device Isolation: If devices are corporate-managed (MDM), isolate them from the network (WLAN/VPN) until the malware is removed and a factory reset is performed (recommended for RATs).
  3. User Education: Alert users to the risks of clicking on Meta advertisements promoting software or utilities. Emphasize installing apps exclusively from official app stores (Google Play Store).

Hardening & Prevention:

  1. Block Unknown App Installations: Enforce MDM policies to prevent sideloading of APKs (Disable "Install Unknown Apps").
  2. Network Egress Filtering: Implement firewall rules to block outbound traffic from mobile subnets to non-standard proxy ports (e.g., 1080, 1081) unless specific business cases exist.
  3. Ad-Blocking: Deploy DNS-based filtering or mobile security solutions that can block known malicious ad domains used in malvertising campaigns.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socmdrmanaged-socdetectionandroid-ratmiraxsocks5-proxymobile-threat-defense

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action