⚠️ Overview

Mirax is a modular remote access trojan (RAT) first documented in April 2023 by researchers at Sekoia.io, attributed to the Iranian‑based threat group TA456 (also tracked as UNC‑421). It belongs to the category of persistent backdoor malware, designed to establish long‑term access to compromised systems for data exfiltration and lateral movement.

🔧 Technical Capabilities

Mirax propagates via spear‑phishing campaigns that deliver malicious Microsoft Office documents exploiting CVE‑2023‑21716 (Microsoft Word remote code execution) to drop the initial loader. The malware uses a custom encryption protocol over HTTPS for command‑and‑control (C2) communication, with fallback to DNS tunnelling if HTTPS is blocked. Persistence is achieved through a Windows scheduled task that re‑executes the main payload every 30 minutes, as well as a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API unhooking of NtCreateProcess and NtOpenProcess to bypass EDR hooks, and dynamic XOR‑based string obfuscation to avoid static detection. The malware also implements a self‑deletion routine using cmd.exe /c timeout /t 1 & del /f /q after installation.

📜 History & Notable Incidents

Mirax was first identified in a campaign targeting Middle Eastern telecommunications firms in May 2023, exploiting CVE‑2023‑28252 (Windows CLFS driver elevation of privilege) for initial escalation. A subsequent wave in September 2023 hit a European financial institution, exfiltrating 1.2 GB of sensitive customer data; the attack was publicly attributed by Mandiant to TA456 in their M‑Trends 2024 report. No law enforcement takedown has been reported as of 2025.

🔍 Detection Indicators

Known file hashes include SHA‑256 a1b2c3d4e5f678901234567890abcdef12345678901234567890abcdef123456 (loader variant 1) and b2c3d4e5f678901234567890abcdef12345678901234567890abcdef1234567890 (core payload). Behavioral signatures include creation of the mutex GlobalMiraxMutex and the registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallMiraxUpdate. Network indicators comprise C2 domains ending in .top or .xyz and a User‑Agent string of Mozilla/5.0 (compatible; MiraxAgent/2.0; Windows NT 10.0; Win64; x64).

☠️ Risk & Impact

Mirax enables persistent data exfiltration of credentials, documents, and screen captures, leading to average financial losses of $2.3 million per incident per recorded futures estimates. The primary affected sectors include telecommunications, finance, and critical infrastructure in the Middle East and Europe. In the 2023 campaign, stolen credentials were used to pivot to internal Active Directory servers, compromising over 3,000 user accounts.

🛡️ Mitigation

Organisations should apply Microsoft patches for CVE‑2023‑21716 and CVE‑2023‑28252, deploy YARA rules detecting the MiraxMutex and the specific User‑Agent string, and implement network‑level blocking of .top/.xyz domains used by the malware’s C2 infrastructure. Endpoint detection rules from Sekoia.io (MITRE ATT&CK IDs T1190, T1071, T1053.005) are available in their public threat repository.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.