'GodDamn' Ransomware: New Variant of Hyadina Family Bypasses EDR with Signed Malicious Driver

New 'GodDamn' Ransomware Disables Security Using Signed Microsoft Driver

CRITICAL
July 10, 2026
July 11, 2026
6m read
RansomwareMalwareThreat Actor

Related Entities(initial)

Threat Actors

Hyadina

Organizations

Microsoft Symantec

Products & Tech

AnyDeskNirSoftMimikatz

Other

GodDamnBeastMonsterPoisonX

Full Report(when first published)

Executive Summary

A new ransomware variant dubbed GodDamn has been observed in the wild, representing a significant evolution of the Hyadina ransomware family. This threat is distinguished by its use of a malicious kernel driver named PoisonX, which possesses a valid Microsoft Windows Hardware Compatibility Publisher signature. This 'Bring Your Own Vulnerable Driver' (BYOVD) technique allows the attackers to terminate endpoint detection and response (EDR) and antivirus processes from the kernel level, effectively blinding security solutions before encryption. The attack chain involves the use of legitimate remote access software for persistence, followed by privilege escalation and lateral movement using common post-exploitation tools. This campaign highlights a growing trend of ransomware actors adopting advanced evasion techniques to overcome modern security defenses.


Threat Overview

The GodDamn ransomware, first detected in May 2026, is the latest iteration of the Hyadina family, which includes previous versions known as Beast and Monster. According to research from Symantec, the threat actors gain initial access through unconfirmed means, though compromised accounts are the likely vector. Once inside a network, they deploy AnyDesk remote desktop software, often hidden in a folder named Music, to establish persistent outbound communication with their command and control (C2) infrastructure.

The core of the attack is the deployment of the PoisonX kernel driver. The attackers execute a dropper, disguised as a legitimate Symantec product, which installs the signed driver. It is currently unknown how the attackers obtained the Microsoft signature, but possibilities include compromising a legitimate developer's signing certificate or abusing flaws in the WHCP submission process. Once the driver is loaded, it is used to programmatically terminate the processes and services of various security products, rendering them useless.

With defenses down, the attackers deploy a suite of post-exploitation tools, including NirSoft utilities and Mimikatz, to harvest credentials, steal browser cookies, and move laterally to other systems, including domain controllers. After gaining administrative control over the network, the GodDamn ransomware payload is executed, encrypting files and leaving a ransom note.


Technical Analysis

The attack follows a multi-stage process, leveraging both legitimate tools and custom malware.

  1. Initial Access & Persistence: The initial vector is unconfirmed. After access, attackers deploy AnyDesk for remote control and persistence. This is a common use of T1219 - Remote Support Software.
  2. Defense Evasion: This is the most critical phase. The threat actor executes a dropper that installs the PoisonX driver. The driver is signed by Microsoft, allowing it to be loaded into the kernel without raising flags. This technique, known as 'Bring Your Own Vulnerable Driver' (BYOVD), is a form of T1547.006 - Kernel Modules and Extensions. The driver's primary function is to terminate security processes, a direct implementation of T1562.001 - Impair Defenses: Disable or Modify Tools.
  3. Credential Access & Discovery: With security tools disabled, the attackers use Mimikatz to perform credential dumping, specifically targeting LSASS memory via T1003.001 - OS Credential Dumping: LSASS Memory. NirSoft tools are used for broader discovery and information gathering.
  4. Lateral Movement: Using the stolen credentials, attackers move to other systems on the network, likely using protocols like RDP or SMB, aligning with T1021 - Remote Services.
  5. Impact: The final stage is the execution of the GodDamn ransomware payload, which encrypts files across accessible network shares, corresponding to T1486 - Data Encrypted for Impact.

The use of a legitimately signed malicious driver is a game-changer for evasion. It bypasses many standard endpoint protection controls that trust code signed by major vendors like Microsoft. This forces defenders to shift focus from signature-based detection to behavioral monitoring and driver load analysis.


Impact Assessment

The business impact of a GodDamn ransomware attack is severe. The disabling of security tools means that the infection can spread widely and remain undetected until the final encryption stage, maximizing damage. Organizations can expect significant operational disruption, data loss, and financial costs associated with recovery and ransom negotiation. The theft of credentials and other sensitive data using tools like Mimikatz also introduces the risk of a double-extortion scenario, where attackers threaten to leak stolen data if the ransom is not paid. Recovery is complicated by the need to not only restore data from backups but also to completely rebuild trust in the environment, as administrative credentials will have been compromised.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams can hunt for related activity by looking for the following patterns:

Type
Process Name
Value
anydesk.exe
Description
Look for execution from unusual paths, such as a 'Music' folder or temporary directories.
Type
File Path
Value
C:\Windows\System32\drivers\PoisonX.sys
Description
Hypothetical path for the malicious driver. Monitor for any new, non-standard driver files being written and loaded.
Type
Event ID
Value
4688 (Windows Security Log)
Description
Monitor for anydesk.exe process creation with suspicious parent processes.
Type
Event ID
Value
7045 (Windows System Log)
Description
A new service was installed. Correlate with the installation of the PoisonX driver service.
Type
Command Line Pattern
Value
mimikatz.exe
Description
Monitor command line arguments for signs of credential dumping commands like sekurlsa::logonpasswords.

Detection & Response

Detecting this threat requires a defense-in-depth approach that does not solely rely on EDR/AV process checks.

  1. Driver Monitoring: Implement strict monitoring of driver loading events (Windows Event ID 601 in the Code Integrity log). Any newly loaded driver, especially one not on a pre-approved list, should be investigated. Enable and monitor D3FEND's Driver Load Integrity Checking (D3-DLIC).
  2. Behavioral Analysis: Use an EDR in 'block' mode for suspicious behaviors. Monitor for processes attempting to terminate security tools. Even if the termination succeeds, the initial attempt should generate a high-priority alert. This aligns with D3FEND's Process Analysis (D3-PA).
  3. Remote Access Tool Auditing: Monitor for the installation and execution of any remote access software like AnyDesk, TeamViewer, or ScreenConnect. Use application control to block unauthorized remote access tools.
  4. Credential Dumping Detection: Enable Credential Guard on Windows systems to protect LSASS. Monitor for direct access to the lsass.exe process from non-standard processes.

Mitigation

  1. Application Control: Use technologies like AppLocker or Windows Defender Application Control (WDAC) to create a list of approved drivers. This can prevent malicious drivers like PoisonX from being loaded, even if they are signed. This is a form of D3FEND's Executable Allowlisting (D3-EAL).
  2. Privileged Access Management (PAM): Strictly control and monitor the use of administrative accounts. Implement just-in-time (JIT) access to reduce the window of opportunity for attackers with compromised credentials.
  3. Network Segmentation: Segment networks to prevent lateral movement. A workstation compromise should not easily lead to a domain controller compromise. This aligns with D3FEND's Network Isolation (D3-NI).
  4. Endpoint Hardening: Configure EDR and antivirus solutions with tamper protection enabled to make it more difficult for processes to be terminated.

Timeline of Events

1
May 1, 2026
GodDamn ransomware first appears in the wild.
2
July 9, 2026
Symantec publishes a report detailing the GodDamn ransomware's TTPs.
3
July 10, 2026
This article was published

Article Updates

July 11, 2026

New mitigation strategies, including Microsoft's vulnerable driver blocklist, and refined hunting hints for GodDamn ransomware have been identified.

MITRE ATT&CK Mitigations

While the attacker used a signed driver, enforcing a strict policy of which signers are trusted (via WDAC) can mitigate this.

Use application control policies to prevent the execution of unauthorized remote access tools and droppers.

Enable tamper protection on security software to prevent or alert on termination attempts.

Limit the use of administrative credentials to prevent widespread lateral movement and credential dumping.

D3FEND Defensive Countermeasures

Implement strict driver load policies using Windows Defender Application Control (WDAC). Instead of trusting all Microsoft-signed drivers, create an allowlist based on known, legitimate drivers required for your specific hardware and software environment. This 'golden image' driver set should be the only one permitted to load. Monitor Windows Code Integrity event logs (Event ID 3077) for any attempts to load unsigned or non-allowlisted drivers. This shifts the defense from trusting a broad signature authority to trusting only what is explicitly approved for your environment, directly countering the BYOVD technique used by the GodDamn ransomware.

Configure EDR and SIEM solutions to detect and alert on anomalous process interactions, specifically focusing on attempts to access or terminate security agent processes. Create high-severity alerts for any non-system process (e.g., svchost.exe, wininit.exe) that attempts to interact with the memory space of EDR/AV processes (e.g., MsMpEng.exe, SentinelAgent.exe). While the kernel driver may ultimately succeed, the initial user-mode attempt by the dropper to disable security should be caught. This behavioral rule provides an early warning signal before the primary defenses are fully compromised.

Deploy application allowlisting to restrict the execution of unauthorized remote access tools like AnyDesk. Create policies that only permit company-approved remote support software to run. Any attempt to execute anydesk.exe or similar tools that are not on the allowlist should be blocked and trigger an immediate security alert. This mitigation is highly effective at preventing the persistence and command-and-control stage of the attack, containing the threat before the malicious driver can be deployed.

Timeline of Events

1
May 1, 2026

GodDamn ransomware first appears in the wild.

2
July 9, 2026

Symantec publishes a report detailing the GodDamn ransomware's TTPs.

Sources & References(when first published)

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

GodDamn RansomwareHyadinaPoisonXBYOVDKernel DriverDefense EvasionRansomwareMimikatz

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.