Mirax Android Trojan: Hijacking Devices for Proxy Abuse

Cybersecurity researchers have uncovered a new Android banking trojan that goes beyond typical credential theft. Known as Mirax Android Trojan, this malware not only steals sensitive data but also transforms compromised smartphones into residential proxy nodes. This dual functionality marks a significant shift in mobile threat tactics, blending remote access with proxy abuse to amplify the impact of attacks.

According to a detailed report from Cleafy, the malware is currently targeting Spanish-speaking users across Europe. Campaigns have already reached over 200,000 accounts through malicious advertisements on social media platforms. The trojan operates under a restricted Malware-as-a-Service (MaaS) model, limiting access to a small group of affiliates. This controlled distribution strategy helps maintain operational security while maximizing campaign effectiveness.

How the Mirax Android Trojan Spreads

Social engineering lies at the heart of the Mirax distribution chain. Attackers use fake advertisements promoting illegal streaming applications, such as IPTV services, to lure victims. These ads appear on popular social media platforms, directing users to download software from outside official app stores. The malware is hosted on GitHub with frequent updates, making it harder for security tools to track.

Once a user installs the fake app, the trojan executes a multi-stage process. It decrypts hidden payloads and establishes communication channels via WebSockets. These channels allow attackers to remotely control the device and extract data in real time. The malware also includes device checks designed to evade automated analysis, such as sandbox detection.

Remote Access and Surveillance Capabilities

The Mirax Android Trojan enables attackers to fully control infected devices. It can execute commands, monitor user activity, and deploy fake overlays on legitimate banking or social media apps. These overlays are fetched dynamically from command-and-control (C2) servers, making detection particularly challenging for antivirus software.

In addition, the malware integrates surveillance features like continuous keylogging and collection of lock screen details. This includes PIN structure and biometric usage patterns. As a result, attackers can gather credentials and personal information without raising suspicion. This means that even strong passwords or biometric locks offer little protection once a device is compromised.

Residential Proxy Abuse: A New Attack Vector

One of the most defining features of the Mirax Android Trojan is its ability to convert infected devices into residential proxy nodes. Attackers can route malicious traffic through legitimate IP addresses, bypassing geographic restrictions and fraud detection systems. This proxy capability extends the malware’s role beyond financial theft. Compromised devices become infrastructure for broader cybercriminal activities, including account takeovers (ATO) and anonymized network attacks.

Building on this functionality, the trojan allows attackers to launch secondary attacks that appear to originate from trusted residential IPs. This makes it harder for banks and online services to block fraudulent transactions. For a deeper look at proxy abuse in modern malware, check out our analysis of DeadLock Ransomware Using Polygon Smart Contracts for Proxy Rotation.

The Evolution of Mobile Threats

Cleafy’s research highlights that the Mirax Android Trojan reflects a wider evolution in mobile threats. Tools are becoming more modular and commercially structured, with malware authors adopting business-like models. The MaaS approach used by Mirax limits access to vetted affiliates, reducing the risk of exposure while increasing the sophistication of campaigns.

Although current campaigns focus on Spain, analysts warn that the malware’s reach is likely to expand as operators refine their tactics. Similar Android banking trojan trends show that geographic targeting often broadens after initial success. Users should remain vigilant and avoid downloading apps from unverified sources, especially those promoted via social media ads.

To stay protected, always install apps from official stores like Google Play, enable two-factor authentication, and use reputable mobile security software. If you suspect your device is compromised, run a full security scan immediately and change all critical passwords.

FISA Section 702 Nears Expiry: Lawmakers Clash Over Americans’ Privacy vs. Surveillance Powers

A critical U.S. surveillance law, known as FISA Section 702, is set to expire next week, throwing Congress into a fierce debate over national security and the privacy rights of Americans. This law has long allowed intelligence agencies like the NSA and FBI to collect overseas communications without warrants—but it also sweeps up data on countless U.S. citizens.

As the April 20 deadline looms, a bipartisan group of lawmakers is pushing for major reforms to end warrantless surveillance of Americans. Meanwhile, the Trump administration and some Republicans want a simple extension without changes. The outcome will shape how the government monitors communications for years to come.

What Is FISA Section 702 and Why Does It Matter?

FISA Section 702 permits U.S. intelligence agencies to intercept foreign communications flowing through American networks. However, this bulk collection inevitably captures emails, phone logs, and other data from Americans who communicate with people overseas—all without a search warrant.

Privacy advocates argue that this practice violates the Fourth Amendment, which protects against unreasonable searches. The American Civil Liberties Union and other groups have long condemned the program as an overreach that infringes on civil liberties.

Lawmakers Divided Over Reauthorization and Reforms

On one side, the White House and some House Republicans favor a clean reauthorization of FISA Section 702, arguing it is essential for counterterrorism and foreign intelligence. President Trump recently signaled support for extending the law without amendments.

On the other side, a bipartisan coalition led by Senators Ron Wyden and Mike Lee introduced the Government Surveillance Reform Act. This bill aims to close the controversial “backdoor search” loophole, which allows agencies to search Americans’ communications without a warrant. It also seeks to ban the government from buying location data from data brokers—a practice FBI Director Kash Patel confirmed in a March hearing.

“Many lawmakers aren’t aware that multiple administrations have relied on a secret interpretation of Section 702 that directly affects Americans’ privacy,” Wyden warned. He has urged the government to declassify this information.

Representative Thomas Massie echoed these concerns after reviewing classified FISA documents, stating he would vote against reauthorization. “The Constitution requires I vote No,” he posted on X.

What Happens If FISA Section 702 Expires?

Even if the law expires on April 20, surveillance may not stop immediately. A legal quirk allows the Foreign Intelligence Surveillance Court to certify the government’s practices annually, effectively extending surveillance until March 2027 unless Congress actively intervenes.

Additionally, the government operates under Executive Order 12333, a secret presidential directive that governs much of the surveillance outside the U.S. and also captures Americans’ communications. This means privacy protections remain fragile regardless of Section 702’s fate.

Privacy Reforms Gain Momentum Amid Tech Advances

The debate comes as technology makes surveillance easier than ever. App developers collect vast amounts of location data, selling it to brokers who then supply governments. Both Republicans and Democrats reportedly want to close this loophole, which also complicates negotiations with AI companies like Anthropic and OpenAI.

Privacy groups including the Electronic Privacy Information Center and the Project on Government Oversight support the reform bill. However, its passage remains uncertain as Congress faces a tight deadline.

For more on how surveillance laws impact your digital life, check out our guide on protecting your privacy online. To understand the history of FISA, read our explainer on the Foreign Intelligence Surveillance Act.

In the end, the fight over FISA Section 702 is a battle between security and liberty. As lawmakers debate, Americans must ask: How much privacy are we willing to trade for safety?

Mailbox Rule Abuse: The Stealthy Post-Compromise Threat in Microsoft 365

Imagine an attacker quietly controlling your email inbox—deleting security alerts, forwarding sensitive messages, and hiding all traces of their activity. This is not a far-fetched scenario. Security researchers have uncovered a significant rise in mailbox rule abuse within Microsoft 365 environments, where cybercriminals leverage native email features to maintain access, exfiltrate data, and manipulate communications after compromising an account.

According to findings from Proofpoint, approximately 10% of breached accounts in Q4 2025 had malicious mailbox rules created within seconds of initial access. These rules often use minimal or nonsensical names, making them easy to overlook. They are designed to delete emails or move them into rarely monitored folders like Archive or RSS Subscriptions, allowing attackers to operate under the radar.

How Attackers Exploit Microsoft 365 Mailbox Rules

Mailbox rules provide attackers with a powerful combination of automation and stealth. Once inside an account, they can silently control email flow while avoiding detection. By suppressing or redirecting messages, attackers reshape what victims see in their inbox, allowing fraudulent activity to continue unnoticed.

Common attacker objectives include:

• Forwarding sensitive emails to external accounts for data theft
• Hiding security alerts, password resets, and suspicious activity
• Intercepting and manipulating ongoing email conversations
• Maintaining access even after password changes

In practice, these tactics enable attackers to impersonate victims, hijack communication threads, and influence business transactions without triggering traditional security alerts. This form of mailbox rule abuse is particularly dangerous because it leverages legitimate functionality, making it hard for standard defenses to detect.

Real-World Impact and Persistence Risks

Several scenarios illustrate how mailbox rule abuse plays out in real attacks. In one case observed by Proofpoint, attackers targeted payroll processes by launching internal phishing emails from a compromised account, while rules were created to hide replies and warnings. This ensured the activity remained largely invisible to the victim.

In another example, attackers combined mailbox rules with third-party email services and domain spoofing to intercept vendor communications and insert fraudulent payment requests into existing threads. These tactics are classic signs of business email compromise (BEC) attacks, which continue to plague organizations worldwide.

University environments have also been affected. Attackers frequently deploy blanket rules that delete or hide all incoming messages, isolating the mailbox and enabling large-scale spam campaigns without user awareness. One of the most concerning aspects is persistence: malicious forwarding and suppression rules can remain active even after credentials are reset, allowing continued data exposure.

Building on this, researchers note that automation tools now enable attackers to deploy these rules across multiple accounts at scale, turning a simple feature into a powerful and difficult-to-detect attack method. This means that even organizations with robust security measures can fall victim to mailbox rule abuse if they do not monitor for such activity.

Defending Against Mailbox Rule Abuse

To defend against similar threats, Proofpoint suggests that organizations disable external auto-forwarding, enforce strong access controls including multi-factor authentication (MFA), and closely monitor OAuth activity. Ensuring rapid response by removing malicious rules, revoking sessions, and auditing account activity is also recommended.

For more insights on protecting your organization, check out our guide on business email compromise prevention and learn about Microsoft 365 security best practices.

In conclusion, mailbox rule abuse represents a stealthy post-compromise threat that every organization using Microsoft 365 should take seriously. By understanding how attackers exploit these features and implementing proactive defenses, you can reduce the risk of data breaches and financial losses.