What happens when a newly observed Android malware campaign uses paid social advertising to put full device control into the hands of strangers and reaches more than 220,000 social accounts in a matter of weeks? The short answer: a modest piece of malicious code, amplified by mainstream ad platforms, can become a widespread operational tool before many notice.
What Mirax is and what it does
Security observers have identified a nascent Android remote access trojan (RAT) called Mirax. According to the reporting, Mirax "integrates advanced Remote Access Trojan (RAT) capabilities, allowing threat actors to fully interact with compromised devices in real" and it converts infected phones into SOCKS5 proxies. Those two capabilities — full remote interaction and proxying — are the core technical attributes attributed to Mirax in the source material.
How it reached users: Meta advertisements and regional targeting
The campaign distributing Mirax relied on paid advertisements on Meta platforms. The ads ran on Facebook, Instagram, Messenger and Threads, and the reporting states that those campaigns reached more than 220,000 accounts. Observers noted a focus on Spanish-speaking countries as the primary targets of the distribution effort.
Why this matters: perspectives and risks
- Technologists — The combination of a remote access trojan with proxy functionality, delivered at scale via mainstream ad channels, presents a technical challenge: a single implanted tool can enable direct control over devices while also creating a distributed network of routed connections. The source attributes both capabilities to Mirax.
- Platform and policy stakeholders — The campaign’s use of paid advertisements on major social platforms raises questions about vetting and detection of malicious campaigns inside advertising ecosystems. The source links Mirax’s spread directly to Meta ads across multiple properties.
- Users in targeted regions — The reporting highlights that Spanish-speaking countries were actively targeted, and that more than 220,000 accounts saw the ads. For people on those platforms, the combination of pervasive ad delivery and a RAT that grants extensive access to devices is the central concern described in the source.
- Adversaries and operators — For malware operators, according to the information provided, Mirax offers both interactive control of compromised devices and the ability to turn them into network proxies — capabilities that can be useful for a range of malicious operations when combined with broad distribution.
Conclusion — a fast-moving threat refracts policy and practice
Mirax’s emergence, as described in the reporting, is notable less for a single advanced feature than for the convergence of two facts: the malware’s reported capabilities (full remote access plus SOCKS5 proxying) and the campaign’s reach via paid social advertising across multiple Meta properties, exceeding 220,000 accounts and focusing on Spanish-speaking countries. That convergence forces a practical question on platforms, defenders and users alike: when mainstream ad channels amplify malware distribution, who — and what — must change to prevent the next Mirax from spreading similarly?
https://thehackernews.com/2026/04/mirax-android-rat-turns-devices-into.html




