New GodDamn Ransomware Leverages PoisonX Driver to Bypass Security Defenses
Cybersecurity researchers have identified a new ransomware strain, GodDamn, which employs the PoisonX kernel driver to disable security software as part of its evasion tactics. First detected in the wild on May 21, 2026, GodDamn is believed to be a rebrand of Beast ransomware, itself an evolution of the Monster ransomware (active since March 2022). The threat actor behind these families, tracked as Hyadina, has been linked to multiple ransomware operations.
In an attack observed in early June 2026, the group used AnyDesk for remote access and deployed a NirSoft-based credential harvester to extract sensitive data from browsers, Windows Credential Manager, email clients, Wi-Fi profiles, and network traffic. The initial access vector remains unknown. The attackers also utilized a user-mode defense evasion tool disguised as a Symantec product ("symantec.exe") and the PoisonX driver ("g11.sys") in a bring your own vulnerable driver (BYOVD) attack to neutralize endpoint defenses.
Notably, PoisonX is a malicious driver that obtained a valid Microsoft signature, making it particularly effective at bypassing security controls. The driver has also been adopted by The Gentlemen ransomware-as-a-service (RaaS) group in its GentleKiller tool, which affiliates use to disable protections before encryption.
The attack chain involved PsExec for lateral movement, followed by the installation of AnyDesk on compromised hosts as an auto-start service to maintain persistence. A PowerShell script was used in some cases to automate the deployment. By June 2, 2026, the threat actors had repeated this process across at least 10 hosts within the targeted organization.
On June 3, 2026, GodDamn was detected on a separate network segment, where it appended the victim’s name as the file extension instead of the usual ".God8Damn." The ransom note, analyzed by CYFIRMA, instructs victims to contact the attackers via email or the qTox encrypted messaging app.
Researchers warn that GodDamn’s use of PoisonX demonstrates an escalation in defensive evasion, signaling Hyadina’s continued development of advanced ransomware capabilities. The group’s reliance on BYOVD attacks underscores the growing threat posed by signed malicious drivers in bypassing security measures.
Source: https://thehackernews.com/2026/07/goddamn-ransomware-uses-poisonx-driver.html
RevelSI cybersecurity rating report: https://www.rankiteo.com/company/revelsi
"id": "REV1783600334",
"linkid": "revelsi",
"type": "Ransomware",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'type': 'Organization'}],
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable and '
'authentication data)',
'type_of_data_compromised': ['Credentials',
'Wi-Fi profiles',
'Network traffic',
'Email client data']},
'date_detected': '2026-05-21',
'description': 'Cybersecurity researchers have identified a new ransomware '
'strain, GodDamn, which employs the PoisonX kernel driver to '
'disable security software as part of its evasion tactics. The '
'attack involved the use of AnyDesk for remote access, a '
'NirSoft-based credential harvester, and the PoisonX driver in '
'a BYOVD attack to neutralize endpoint defenses. The '
'ransomware appended the victim’s name as the file extension '
'and instructed victims to contact attackers via email or '
'qTox.',
'impact': {'data_compromised': 'Sensitive data from browsers, Windows '
'Credential Manager, email clients, Wi-Fi '
'profiles, and network traffic',
'identity_theft_risk': 'High (due to credential harvesting)',
'operational_impact': 'Disruption due to ransomware encryption and '
'lateral movement',
'systems_affected': 'At least 10 hosts within the targeted '
'organization'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The use of signed malicious drivers like PoisonX '
'highlights the growing threat of BYOVD attacks in '
'bypassing security measures. Organizations must enhance '
'monitoring for kernel-level threats and validate driver '
'signatures.',
'motivation': 'Financial gain',
'post_incident_analysis': {'root_causes': 'Exploitation of a signed malicious '
'driver (PoisonX) to bypass '
'security defenses, followed by '
'credential harvesting and lateral '
'movement using PsExec and '
'AnyDesk.'},
'ransomware': {'data_encryption': 'Yes', 'ransomware_strain': 'GodDamn'},
'recommendations': ['Implement strict driver validation policies to prevent '
'BYOVD attacks.',
'Monitor for unusual lateral movement and remote access '
'tool usage (e.g., AnyDesk, PsExec).',
'Enhance endpoint detection and response (EDR) '
'capabilities to detect kernel-level threats.',
'Conduct regular credential hygiene audits to mitigate '
'credential harvesting risks.',
'Segment networks to limit lateral movement during '
'ransomware attacks.'],
'references': [{'source': 'CYFIRMA'}],
'threat_actor': 'Hyadina',
'title': 'New GodDamn Ransomware Leverages PoisonX Driver to Bypass Security '
'Defenses',
'type': 'Ransomware',
'vulnerability_exploited': 'PoisonX kernel driver (BYOVD attack)'}