A new ransomware variant dubbed GodDamn has been observed in the wild, representing a significant evolution of the Hyadina ransomware family. This threat is distinguished by its use of a malicious kernel driver named PoisonX, which possesses a valid Microsoft Windows Hardware Compatibility Publisher signature. This 'Bring Your Own Vulnerable Driver' (BYOVD) technique allows the attackers to terminate endpoint detection and response (EDR) and antivirus processes from the kernel level, effectively blinding security solutions before encryption. The attack chain involves the use of legitimate remote access software for persistence, followed by privilege escalation and lateral movement using common post-exploitation tools. This campaign highlights a growing trend of ransomware actors adopting advanced evasion techniques to overcome modern security defenses.
The GodDamn ransomware, first detected in May 2026, is the latest iteration of the Hyadina family, which includes previous versions known as Beast and Monster. According to research from Symantec, the threat actors gain initial access through unconfirmed means, though compromised accounts are the likely vector. Once inside a network, they deploy AnyDesk remote desktop software, often hidden in a folder named Music, to establish persistent outbound communication with their command and control (C2) infrastructure.
The core of the attack is the deployment of the PoisonX kernel driver. The attackers execute a dropper, disguised as a legitimate Symantec product, which installs the signed driver. It is currently unknown how the attackers obtained the Microsoft signature, but possibilities include compromising a legitimate developer's signing certificate or abusing flaws in the WHCP submission process. Once the driver is loaded, it is used to programmatically terminate the processes and services of various security products, rendering them useless.
With defenses down, the attackers deploy a suite of post-exploitation tools, including NirSoft utilities and Mimikatz, to harvest credentials, steal browser cookies, and move laterally to other systems, including domain controllers. After gaining administrative control over the network, the GodDamn ransomware payload is executed, encrypting files and leaving a ransom note.
The attack follows a multi-stage process, leveraging both legitimate tools and custom malware.
T1219 - Remote Support Software.PoisonX driver. The driver is signed by Microsoft, allowing it to be loaded into the kernel without raising flags. This technique, known as 'Bring Your Own Vulnerable Driver' (BYOVD), is a form of T1547.006 - Kernel Modules and Extensions. The driver's primary function is to terminate security processes, a direct implementation of T1562.001 - Impair Defenses: Disable or Modify Tools.T1003.001 - OS Credential Dumping: LSASS Memory. NirSoft tools are used for broader discovery and information gathering.T1021 - Remote Services.T1486 - Data Encrypted for Impact.The use of a legitimately signed malicious driver is a game-changer for evasion. It bypasses many standard endpoint protection controls that trust code signed by major vendors like Microsoft. This forces defenders to shift focus from signature-based detection to behavioral monitoring and driver load analysis.
The business impact of a GodDamn ransomware attack is severe. The disabling of security tools means that the infection can spread widely and remain undetected until the final encryption stage, maximizing damage. Organizations can expect significant operational disruption, data loss, and financial costs associated with recovery and ransom negotiation. The theft of credentials and other sensitive data using tools like Mimikatz also introduces the risk of a double-extortion scenario, where attackers threaten to leak stolen data if the ransom is not paid. Recovery is complicated by the need to not only restore data from backups but also to completely rebuild trust in the environment, as administrative credentials will have been compromised.
No specific file hashes, IP addresses, or domains were provided in the source articles.
Security teams can hunt for related activity by looking for the following patterns:
anydesk.exeC:\Windows\System32\drivers\PoisonX.sys4688 (Windows Security Log)anydesk.exe process creation with suspicious parent processes.7045 (Windows System Log)PoisonX driver service.mimikatz.exesekurlsa::logonpasswords.Detecting this threat requires a defense-in-depth approach that does not solely rely on EDR/AV process checks.
601 in the Code Integrity log). Any newly loaded driver, especially one not on a pre-approved list, should be investigated. Enable and monitor D3FEND's Driver Load Integrity Checking (D3-DLIC).lsass.exe process from non-standard processes.PoisonX from being loaded, even if they are signed. This is a form of D3FEND's Executable Allowlisting (D3-EAL).New mitigation strategies, including Microsoft's vulnerable driver blocklist, and refined hunting hints for GodDamn ransomware have been identified.
While the attacker used a signed driver, enforcing a strict policy of which signers are trusted (via WDAC) can mitigate this.
Use application control policies to prevent the execution of unauthorized remote access tools and droppers.
Enable tamper protection on security software to prevent or alert on termination attempts.
Limit the use of administrative credentials to prevent widespread lateral movement and credential dumping.
Implement strict driver load policies using Windows Defender Application Control (WDAC). Instead of trusting all Microsoft-signed drivers, create an allowlist based on known, legitimate drivers required for your specific hardware and software environment. This 'golden image' driver set should be the only one permitted to load. Monitor Windows Code Integrity event logs (Event ID 3077) for any attempts to load unsigned or non-allowlisted drivers. This shifts the defense from trusting a broad signature authority to trusting only what is explicitly approved for your environment, directly countering the BYOVD technique used by the GodDamn ransomware.
Configure EDR and SIEM solutions to detect and alert on anomalous process interactions, specifically focusing on attempts to access or terminate security agent processes. Create high-severity alerts for any non-system process (e.g., svchost.exe, wininit.exe) that attempts to interact with the memory space of EDR/AV processes (e.g., MsMpEng.exe, SentinelAgent.exe). While the kernel driver may ultimately succeed, the initial user-mode attempt by the dropper to disable security should be caught. This behavioral rule provides an early warning signal before the primary defenses are fully compromised.
Deploy application allowlisting to restrict the execution of unauthorized remote access tools like AnyDesk. Create policies that only permit company-approved remote support software to run. Any attempt to execute anydesk.exe or similar tools that are not on the allowlist should be blocked and trigger an immediate security alert. This mitigation is highly effective at preventing the persistence and command-and-control stage of the attack, containing the threat before the malicious driver can be deployed.
GodDamn ransomware first appears in the wild.
Symantec publishes a report detailing the GodDamn ransomware's TTPs.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.