Cybersecurity experts are tracing Mamona, a new ransomware strain that is famous for its stripped-down build and silent local execution. Experts believe that the ransomware prevents the usual command-and-control (C2) servers, choosing instead a self-contained method that moves past tools relying on network traffic analysis.
The malware is executed locally on a Windows system as a standalone binary file. The offline approach reveals a blind spot in traditional defenses, raising questions about how even the best antivirus and detection mechanisms will work when there is no network.
Self-deletion and escape techniques make detection difficult
Once executed, it starts a three-second delay via a modified ping command, ”cmd.exe /C ping 127.0.0.7 -n 3 > Nul & Del /f /q.” After this, it self-deletes. The self-deletion helps to eliminate forensic artifacts that make it difficult for experts to track or examine the malware after it has been executed.
The malware uses 127.0.0.7 instead of the popular 127.0.0.1, which helps in evading detection measures. This tactic escapes simple detection tests and doesn’t leave digital traces that older file-based scanners might tag. The malware also drops a ransom note titled README.HAes.txt and renames impacted files with the .HAes extension. This means the encryption was successful.
“We integrated Sysmon with Wazuh to enrich logs from the infected endpoint and created Wazuh detection rules to identify malicious behaviour associated with Mamona ransomware,” said Wazuh in a blog post.
Spotting Mamona
Wazuh has alerted that the “plug-and-play” nature of the malware makes it easy for cybercriminals and helps in the commodization of ransomware. This change highlights an urgent need for robust inspections of what stands as the best ransomware protection when such attacks do not need remote control infrastructure. Wazu’s method to track Mamona involves combining Sysom for log capture and employing custom rules to flag particular behaviours like ransom note creation and ping-based delays.
According to TechRadar, “Rule 100901 targets the creation of the README.HAes.txt file, while Rule 100902 confirms the presence of ransomware when both ransom note activity and the delay/self-delete sequence appear together.”
![](https://pinterest.com/pin/create/bookmarklet/?media=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZiLc_nMgYk6h2MDsXGaYeX4g2oU85PmXiWV3F2hZO8sVbqxIptrdADGhDYFzuSOZUQNQy6Jkg8a8zZZovz-r3UCfypRgK73Vgi6TsuOZYDwcxfLCAMs8L7Eh5Eb8q2PWahGYOJQ6b8lf975dNZxtT5jgQB9QgJrsSOOZteHOM7RZlDgVBWROHApAXmbPe/w640-h492/hacker-3342696_960_720.webp&url=https://www.cysecurity.news/2025/07/latest-malware-mamona-attacks-locally.html?m=1&description=Latest Malware "Mamona" Attacks Locally, Hides by Self Deletion){kind=link}