Mirax social media ad campaign targeting Spanish-speaking users
Campaign
Summary
Hide ▲
Show ▼
The Mirax distribution campaign is using social media advertisements and fake IPTV or streaming apps to reach Spanish-speaking users at scale, raising the risk of credential theft and device abuse across Europe. The operation has already reached more than 200,000 accounts and is designed to push victims toward malware installation outside official app stores. Its restricted MaaS model and residential proxy capability suggest an effort to improve campaign effectiveness while reducing detection.
Related Happenings
Grandoreiro DLL side-loading campaign targeting banks in Portugal
Campaign
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...
Grandoreiro DLL side-loading campaign targeting banks in Portugal
CampaignAbout this happening: **Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...
Webworm multi-country targeting campaign against government and enterprise victims
Campaign
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm multi-country targeting campaign against government and enterprise victims
CampaignAbout this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Trapdoor Android malvertising and ad-fraud campaign
Campaign
First: 19.05.2026 19:38
Last: 19.05.2026 19:38
Sources 1
About this happening:
The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Trapdoor Android malvertising and ad-fraud campaign
CampaignAbout this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
Campaign
First: 11.05.2026 18:15
Last: 11.05.2026 18:15
Sources 1
About this happening:
The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
CampaignAbout this happening: The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
GlassWorm OpenVSX sleeper extension campaign
Campaign
First: 28.04.2026 00:41
Last: 28.04.2026 00:41
Sources 1
About this happening:
The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
GlassWorm OpenVSX sleeper extension campaign
CampaignAbout this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
Timeline
-
13.04.2026 17:30 2 articles · 1mo ago
Cleafy discloses Mirax Android banking trojan campaign
Initial DisclosureCleafy discloses a newly identified Android banking trojan named Mirax that is spreading across Europe and targeting Spanish-speaking users through social media advertisements and fake IPTV or streaming apps. The campaign has reportedly reached more than 200,000 accounts, uses a restricted Malware-as-a-Service model, and equips infected devices for real-time control, fake overlays, continuous keylogging, and residential proxy abuse.
Show sources
- Mirax Android Trojan Turns Devices Into Residential Proxy Nodes — www.infosecurity-magazine.com — 13.04.2026 17:30
- Mirax Android Trojan Turns Devices Into Residential Proxy Nodes — www.infosecurity-magazine.com — 13.04.2026 17:30