New GodDamn Ransomware Leverages PoisonX Kernel Driver for Defense Evasion
A new ransomware strain, dubbed **GodDamn**, has emerged in the cyber threat landscape, raising concerns among security professionals. This sophisticated malware actively employs the PoisonX kernel driver, a powerful tool designed to neutralize endpoint security software, as a core part of its defense evasion strategy. The discovery highlights the evolving tactics of cybercriminals aiming to disable protective measures before deploying their destructive payloads.
The GodDamn ransomware was first publicly observed in the wild on May 21, 2026, according to a recent report from Symantec’s Threat Hunter Team. Security researchers assess it to be a rebranded version of the Beast ransomware, which itself was an evolution of the Monster ransomware family, first identified in March 2022. Symantec, a division of Broadcom, is investigating the developer behind these related ransomware families, identified by the moniker Hyadina. This ongoing activity underscores the persistent threat posed by sophisticated ransomware operations.
Malware Tactics and Delivery Mechanisms
In a notable attack observed in early June 2026, threat actors utilizing GodDamn ransomware reportedly gained initial access through AnyDesk for remote operations. Prior to deploying the ransomware, they utilized a credential harvesting toolkit based on NirSoft utilities. This toolkit is designed to extract sensitive information from various sources, including web browsers, Windows Credential Manager, cached domain credentials, VNC sessions, email clients, Wi-Fi profiles, and live network traffic, providing attackers with extensive access and potential credentials.
Further bolstering their defense evasion, the attackers deployed a user-mode tool masquerading as a Symantec product (“symantec.exe”). Crucially, they also employed the PoisonX kernel driver (“g11.sys”). This driver is a key component in a Bring Your Own Vulnerable Driver (BYOVD) attack, enabling the neutralization of endpoint detection and response (EDR) and antivirus (AV) solutions.
The Symantec Threat Hunter Team noted the particular significance of the PoisonX driver. “However, the PoisonX driver seems to be slightly more unusual, in that it appears to be a malicious driver that its developers succeeded in getting signed by Microsoft, and it is now being used by ransomware attackers,” the team stated in their report. A Microsoft-signed driver is automatically trusted and loaded by Windows, making it a highly effective tool for attackers seeking to bypass security controls.
The use of vulnerable, but signed, drivers is a growing concern in the cybersecurity community. Broadcom highlighted last month that these drivers offer “the attacker’s most reliable route in.” Once administrator privileges are obtained, attackers can install a flawed, yet validly signed, driver. This allows them to disable security software by terminating their processes, stripping them of necessary rights, or even tampering with kernel records to render security products blind to ongoing malicious activity.
Beyond the defense evasion, the attackers facilitated lateral movement within the victim’s network using PsExec. They subsequently established persistent access by installing AnyDesk on compromised hosts and configuring it to launch automatically after reboots. In some instances, a pre-staged PowerShell script was used to automate the AnyDesk deployment, suggesting the use of reusable installation tools to accelerate the compromise process.
Following the AnyDesk setup, attackers reportedly terminated the running AnyDesk process, waited, and then rebooted the affected machines. This sequence was repeated across at least 10 hosts within the targeted organization by early June 2026, according to Symantec’s findings.
GodDamn Ransomware Variant and Future Outlook
The GodDamn ransomware itself was first detected on June 3, impacting a separate network segment within the same organization. Interestingly, this variant altered filenames by appending the victim’s name as the extension, deviating from the “.God8Damn” extension previously observed in other Hyadina-associated attacks. This suggests potential variation or development within the ransomware family itself.
The ransom note left by the attackers directs victims to establish contact via email or the qTox encrypted messaging application. This communication channel is typical for ransomware groups seeking to negotiate terms for file decryption.
The integration of the PoisonX driver by the GodDamn ransomware signifies an escalation in the Hyadina group’s offensive capabilities. “GodDamn’s use of the relatively newly discovered PoisonX malicious driver component represents an escalation in defensive evasion capability by this group, indicating that Hyadina is continuing to actively develop its ransomware and its capabilities,” the cybersecurity company concluded. The continued development and adaptation of ransomware tactics, particularly the increasing reliance on sophisticated kernel-level exploits like PoisonX, indicates that organizations must remain vigilant and continuously update their endpoint security and threat detection strategies.

