GodDamn Ransomware: Exploiting Microsoft-Signed PoisonX Driver to Disable Security Defenses

3

GodDamn Ransomware Exploits Microsoft-Signed PoisonX Driver to Cripple Endpoint Defenses

A newly discovered ransomware family is using a malicious kernel driver that reportedly obtained a legitimate Microsoft signature to silently disable security software before encrypting victim files.

Cybersecurity researchers at Symantec's Threat Hunter Team have identified a ransomware strain called GodDamn that deploys the PoisonX kernel driver to neutralize endpoint defenses. First detected in the wild on May 21, 2026, GodDamn represents a dangerous escalation in the ongoing arms race between ransomware operators and cybersecurity defenders. To understand the broader threat landscape this attack sits within, it helps to first understand how ransomware works and why it continues to evolve as one of the most damaging categories of cybercrime.

GodDamn, PoisonX, and the Threat Behind the Headlines

What Makes GodDamn Different From Other Ransomware Threats

GodDamn is assessed to be a rebrand of Beast ransomware, which itself was an enhanced version of Monster — a Delphi-based ransomware that first surfaced in March 2022. Broadcom's cybersecurity arm is tracking the developer behind all three ransomware families under the threat actor moniker Hyadina.

What distinguishes GodDamn from its predecessors is its use of the PoisonX kernel driver in a bring your own vulnerable driver (BYOVD) attack. BYOVD attacks allow threat actors with administrator privileges to drop a signed but flawed driver onto a target machine. Because the driver carries a valid signature, Windows loads it without question.

"The PoisonX driver seems to be slightly more unusual in that it appears to be a malicious driver that its developers succeeded in getting signed by Microsoft and it is now being used by ransomware attackers," the Symantec Threat Hunter Team said in a report shared with The Hacker News.

The implications are significant. A Microsoft-signed malicious driver represents a meaningful gap in the trust model that Windows relies upon to distinguish legitimate software from threats. Unlike traditional BYOVD attacks that exploit known vulnerabilities in legitimate drivers, PoisonX appears to have been purpose-built as a malicious tool — and then submitted through the signing process successfully. This distinction matters because it undermines one of the foundational assumptions defenders have long relied upon: that a Microsoft signature is a reliable indicator of trustworthiness.

It is also worth noting that PoisonX is one of eight drivers used by operators of The Gentlemen ransomware-as-a-service scheme in its custom GentleKiller tool — indicating the driver is gaining traction across multiple criminal operations, not just a single threat actor.

The PoisonX Driver and the BYOVD Escalation

Broadcom described the broader BYOVD threat in stark terms. "The most common action is to kill the processes belonging to antivirus or endpoint detection and response products stripping the machine of its defenses. Some variants are more subtle. Attackers may strip the security agent of the rights it needs to function correctly leaving it running but unable to act."

This technique — leaving security tools technically running but functionally blind — is particularly insidious. It can delay detection and give attackers additional time to move laterally across a network. From a defender's perspective, an EDR console that appears healthy while the underlying agent has been silently hobbled is arguably more dangerous than one that has gone offline entirely, because it creates a false sense of security.

Understanding why endpoint security is critical to your organisation's defenses has never been more relevant given the precise and deliberate manner in which GodDamn targets and dismantles those protections before executing its payload.

How the Attack Unfolds: From Initial Access to Encryption

Credential Harvesting and Defense Evasion

In one documented attack from early June 2026, threat actors leveraged AnyDesk for remote access and deployed a NirSoft-based credential harvesting toolkit before releasing the ransomware payload. The exact initial access vector remains unknown.

The credential harvester targeted a broad range of sensitive data sources:

  • Common web browsers and Windows Credential Manager
  • Cached domain credentials and VNC sessions
  • Email clients and Wi-Fi profiles
  • Live network traffic

Attackers also used a user-mode defense evasion tool disguised as a legitimate Symantec product file named "symantec.exe." Combined with the PoisonX kernel driver filed as "g11.sys", the two tools worked in tandem to strip machines of their security layers before the ransomware executed. The use of a filename that impersonates a trusted security vendor is a deliberate social engineering tactic at the system level — designed to reduce the likelihood that an administrator reviewing running processes would flag the file for investigation.

How the Ransomware Spread Across an Organisation

Following the initial compromise, attackers used PsExec to facilitate lateral movement across the network. They then installed AnyDesk on each reachable host and registered it as an auto-start Windows service to ensure persistence across reboots.

On some machines, a PowerShell script pre-staged on the system drive handled the entire AnyDesk setup, suggesting the group used a reusable installer to streamline deployment at scale. "After completing the AnyDesk setup on each host the attackers terminated the running AnyDesk process, waited briefly, then rebooted the machine," Symantec reported.

By the end of June 2, this deployment sequence had been repeated across at least 10 hosts within the targeted organisation. GodDamn ransomware was first detected on June 3 on a separate network segment associated with a distinct organisational unit. In that instance, files were renamed using the victim's name as the extension rather than the ".God8Damn" extension observed in other Hyadina-linked attacks.

According to a separate report from CYFIRMA, the ransom note instructs victims to contact the attackers via email or the qTox encrypted messaging app.

What Security Teams and Business Leaders Should Do Now

Practical Steps to Reduce Exposure

"GodDamn's use of the relatively newly discovered PoisonX malicious driver component represents an escalation in defensive evasion capability by this group, indicating that Hyadina is continuing to actively develop its ransomware and its capabilities," Symantec concluded.

The discovery of GodDamn is a sharp reminder that ransomware groups are not static. These operators continuously retool their arsenals to outpace the defenses arrayed against them — and the gap between attacker capability and defender awareness is where the most damage occurs.

Security teams and business leaders can draw several practical lessons from this incident. Given that kernel-level drivers represent one of the most dangerous categories of malicious software due to their privileged access to the operating system, organisations should treat any unrecognised driver running in their environment as a high-priority investigation.

The following actions are worth prioritising:

  1. Audit all kernel-level drivers running in your environment and cross-reference them against known vulnerable or malicious driver lists, including the Living Off The Land Drivers (LOLDrivers) project, which maintains a community-sourced database of drivers abused in attacks.
  2. Enforce least-privilege access policies to limit the administrator-level access that BYOVD attacks depend on. Restricting which accounts can load kernel drivers is one of the most effective mitigations available.
  3. Monitor for unusual remote access tool deployments, particularly AnyDesk or similar tools being registered as Windows services. This behaviour is a strong early warning indicator of a ransomware intrusion in progress.
  4. Enable Microsoft's Vulnerable Driver Blocklist, which is built into Windows Security and can be enforced through Windows Defender Application Control (WDAC) policies.
  5. Treat impersonation filenames seriously. Files masquerading as security vendor executables — particularly in unusual directories — warrant immediate investigation regardless of whether they trigger an alert.

The Broader Takeaway for Organisations

The GodDamn campaign illustrates a maturation in attacker methodology that moves well beyond opportunistic ransomware deployment. The combination of a Microsoft-signed malicious driver, systematic credential harvesting, and infrastructure pre-staging across an entire network reflects a threat actor operating with both technical sophistication and operational patience. Defenders who rely solely on signature-based detection or assume that signed drivers are safe will find those assumptions increasingly exploited.

Organisations that have not yet reviewed their kernel driver policies, remote access monitoring, and EDR validation processes should treat this disclosure as a prompt to do so.

You might also like