Mamona
Mamona is a ransomware family/RaaS operation active by March 2025 and linked in reporting to the BlackLock/El Dorado ecosystem. The operator alias "$$$" was reported to have announced Mamona ransomware on March 11, 2025, and the same alias was linked to BlackLock, El Dorado, and Mamona. Mamona was also described as an older ransomware strain succeeded by Global Group ransomware. Reporting further noted overlap between Mamona-linked activity, BlackLock affiliates, the Embargo group, and later DragonForce-related activity.
Mamona is associated with leak-site operations; its leak site was reportedly defaced around the same time as BlackLock’s during DragonForce’s March 2025 "cartel" push, and Mamona later went offline. One source also referenced "Mamona RaaS," indicating it operated as a ransomware-as-a-service program.
High-confidence lineage reporting states that Global Group is a successor to Mamona. In phishing campaigns observed throughout 2024 and 2025, Phorpiex malware was used to deliver Global Group via deceptive .lnk attachments disguised with double extensions such as "Document.doc.lnk." Those campaigns used living-off-the-land execution through cmd.exe and PowerShell to download the ransomware payload. Because Global Group is explicitly described as Mamona’s successor, this provides context on the evolution of the malware family, though the described infection chain is directly attributed to Global Group rather than Mamona itself.
No standalone technical IOCs specific to Mamona binaries were provided in the content. The most reliable associations are its ties to BlackLock/El Dorado, the actor "$$$", its operation as a ransomware brand/RaaS, its leak-site presence, and its succession by Global Group.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
March 11, 2025 - the actor "$$$" behind BlackLock Ransomware announced the launch of a new project called Mamona Ransomware.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family referenced in related reading; no additional technical behavior described in the provided content beyond mention of offline encryption in the title.
Referenced as the predecessor ransomware family to Global Group.
Referenced as the predecessor ransomware family to Global Group.
Referenced as the predecessor ransomware family to Global Group; no additional behavior details provided in the content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.