New Android Mirax Bot Advertised on Cybercriminal Forums Claiming Advanced Capabilities

A new Android banking malware called Mirax Bot has surfaced on underground cybercriminal forums, with a threat actor actively promoting it as a powerful tool built specifically for financial fraud.

Sold under a Malware-as-a-Service (MaaS) model, the bot is offered in structured rental tiers, making it accessible to a broad range of criminals regardless of their technical background.

The arrival of Mirax Bot reflects a broader and alarming shift in mobile cybercrime, where sophisticated attack tools are now packaged and sold much like commercial software to dramatically lower the barrier for anyone seeking to commit large-scale banking fraud against everyday Android device users around the world.

The tool is currently being advertised on ExploitForum, a well-established underground marketplace where cybercriminals routinely trade tools, services, and stolen data.

According to the listing, Mirax Bot supports over 700 application injects alongside Hidden Virtual Network Computing (HVNC), allowing attackers to both steal credentials and remotely control infected devices without triggering any visible signs of compromise.

Rental pricing follows a tiered structure — a 30-day LIGHT package at $1,750, a 14-day LIGHT option at $1,000, and an optional APK Loader add-on available for an additional $500.

KrakenLabs researchers identified and flagged Mirax Bot on March 5, 2026, after actively tracking its advertisement across underground platforms.

They noted that the malware’s feature set is built to support account takeover (ATO) operations and financial fraud at scale, combining credential capture, real-time remote device interaction, and residential proxying through compromised Android handsets.

The team also clarified that all capabilities listed in the advertisement are seller claims and have not been independently verified at this stage.

https://twitter.com/KrakenLabs_Team/status/2029525839860163010?ref_src=twsrc%5Etfw

Beyond the advertisement itself, the technical profile of Mirax Bot raises serious concerns for both individual users and financial institutions worldwide.

The bot reportedly routes attacker traffic through the infected device’s own network connection, effectively turning it into a residential proxy to bypass the fraud detection mechanisms that banks and payment providers rely on.

Since outgoing requests appear to come directly from the victim’s own device and IP address, standard security checks are far less likely to flag the activity as suspicious or fraudulent, making it especially difficult to catch in real time.

HVNC and Inject-Based Credential Theft

The most technically dangerous components of Mirax Bot are its HVNC capability and its extensive library of over 700 targeted application injects.

HVNC, which stands for Hidden Virtual Network Computing, allows an attacker to remotely and silently control an infected Android device without disturbing anything the victim sees on their screen.

The attacker can open apps, initiate fund transfers, approve transactions, and extract sensitive data entirely through a hidden parallel session, making it nearly impossible for the device owner to detect that anything unauthorized is happening.

The inject library works directly alongside HVNC by placing fake but convincing screens over legitimate banking and payment applications the moment a victim opens them.

These overlay screens are designed to look identical to the real app interface, tricking users into entering their login credentials, one-time passwords, or card details, all of which are quietly captured and forwarded to the attacker.

With claimed inject support spanning more than 700 apps across banks, crypto wallets, and payment services, Mirax Bot is positioned to impact users across many countries and financial platforms at the same time.

To protect against threats like Mirax Bot, Android users should only install applications from the official Google Play Store and avoid sideloading APKs from unknown or untrusted external sources.

Keeping Google Play Protect active, reviewing app permission requests carefully before granting access, and using a mobile security tool equipped with behavioral detection are all meaningful protective measures worth adopting.

Financial institutions should prioritize device-binding authentication and invest in fraud detection systems that analyze behavioral patterns rather than relying solely on IP address-based verification.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Android Mirax Bot Advertised on Cybercriminal Forums Claiming Advanced Capabilities appeared first on Cyber Security News.