GodDamn Ransomware Leverages Microsoft-Signed PoisonX Driver to Disable Endpoint Security
A new ransomware variant, dubbed **GodDamn**, has been identified employing the **PoisonX** kernel driver to bypass endpoint security solutions. This sophisticated defense evasion tactic, part of a 'bring your own vulnerable driver' (**BYOVD**) attack, allows the ransomware to neutralize security software before encrypting files. Researchers note **GodDamn** is a rebrand of the **Beast** ransomware, tracing its lineage back to **Monster**.
Cybersecurity researchers are sounding the alarm on **GodDamn**, a potent new ransomware family that utilizes the **PoisonX** kernel driver to disable security software, facilitating its defense evasion strategy.

According to a recent report by **Symantec's Threat Hunter Team**, **GodDamn** first appeared in the wild on May 21, 2026. It's believed to be a rebrand of the **Beast** ransomware, which itself was an enhanced version of the Delphi-based **Monster** ransomware, initially observed in March 2022. **Broadcom's** cybersecurity arm is tracking the developer behind these ransomware families under the moniker **Hyadina**.
### Attack Chain and Evasion Tactics
In an attack observed in early June 2026, threat actors leveraged **AnyDesk** for remote access and deployed a **NirSoft-based credential harvesting toolkit** before unleashing the ransomware. The initial access vector remains unknown. This toolkit is designed to siphon sensitive data from various sources, including web browsers, **Windows Credential Manager**, cached domain credentials, VNC sessions, email clients, Wi-Fi profiles, and live network traffic.
A user-mode defense evasion tool, disguised as a **Symantec** product ("symantec.exe"), was also employed. This tool, alongside the **PoisonX** kernel driver ("g11.sys"), is used to disable endpoint defenses in what's known as a 'bring your own vulnerable driver' (**BYOVD**) attack.
### The Malicious PoisonX Driver
"However, the **PoisonX** driver seems to be slightly more unusual, in that it appears to be a malicious driver that its developers succeeded in getting signed by **Microsoft**, and it is now being used by ransomware attackers," stated the **Symantec Threat Hunter Team** in their report.
Notably, **PoisonX** is one of eight drivers adopted by the operators of **The Gentlemen** ransomware-as-a-service (**RaaS**) scheme. It's integrated into their custom **GentleKiller** tool, which affiliates use to impair system defenses before executing the encryptor.
**Broadcom** previously highlighted the efficacy of vulnerable drivers, noting, "The attacker, having gained administrator privileges, can drop a flawed but validly signed driver onto the target machine. Because the driver is signed, **Windows** loads it automatically." These drivers are often used to terminate antivirus (**AV**) or endpoint detection and response (**EDR**) processes, effectively disarming the target system.
### Lateral Movement and Persistence
The attack also involved the use of **PsExec** for lateral movement, followed by installing **AnyDesk** on reachable hosts and registering it as an auto-start **Windows** service to maintain persistence across reboots. In some instances, a PowerShell script pre-staged on the system drive handled the **AnyDesk** setup, suggesting the use of a reusable installer.
"After completing the **AnyDesk** setup on each host, the attackers terminated the running **AnyDesk** process, waited briefly, then rebooted the machine," **Symantec** detailed. This deployment sequence was repeated across at least 10 hosts within the targeted organization by early June.
**GodDamn** ransomware was first detected on June 3 on a separate network segment. In this instance, files were renamed with the victim's name as the extension, differing from the ".God8Damn" extension used in other **Hyadina** attacks. According to **CYFIRMA's** report, the ransom note directs victims to contact the attackers via email or the **qTox** encrypted messaging app.
"**GodDamn's** use of the relatively newly discovered **PoisonX** malicious driver component represents an escalation in defensive evasion capability by this group, indicating that **Hyadina** is continuing to actively develop its ransomware and its capabilities," the cybersecurity company concluded.