Cybersecurity experts are raising alarms over a new ransomware threat known as GodDamn, which employs the PoisonX kernel driver to disable security systems. This malicious software was first detected on May 21, 2026, and is believed to be a rebranding of previous ransomware known as Beastransomware and its precursor, Monster. The Symantec Threat Hunter Team has identified the developer behind these threats as Hyadina. In an attack in early June 2026, GodDamn ransomware operators used AnyDesk for remote access and a NirSoft-based toolkit to harvest credentials before deploying the ransomware. The initial access method remains unclear, but the credential harvesting targets sensitive data from browsers, email clients, and network traffic. A key aspect of the attack involves using a user-mode tool disguised as a Symantec product and the PoisonX driver, signed by Microsoft, to disable endpoint defenses in a bring your own vulnerable driver attack. PoisonX is among eight drivers used by The Gentlemen ransomware-as-a-service in its GentleKiller tool to impair defenses before encryption. Attackers exploit these vulnerable drivers to disable antivirus and endpoint detection processes, often rendering security software ineffective. The attack also features lateral movement facilitated by PsExec and AnyDesk, which is configured to auto-start and persist through reboots. By June 2, this method had affected at least ten hosts within the targeted organization. GodDamn ransomware was later identified on a separate network segment, with files renamed using the victim's name rather than the typical .God8Damn extension. A ransom note prompts victims to contact the attackers via email or qTox, an encrypted messaging app. The use of the PoisonX driver underscores Hyadina's continued development of its ransomware capabilities, enhancing its ability to evade detection.
GodDamn Ransomware Exploits PoisonX Driver to Evade Security Measures
Researchers detail GodDamn ransomware's use of a signed PoisonX kernel driver to disable security tools and evade detection.


