GodDamn Ransomware, a Rebrand of Beast, Uses Signed 'PoisonX' Driver to Terminate Endpoint Security

GodDamn Ransomware Deploys Microsoft-Signed 'PoisonX' Driver to Blindside EDR

CRITICAL
July 9, 2026
5m read
RansomwareMalwareThreat Actor

Related Entities

Threat Actors

Hyadina

Organizations

Products & Tech

Other

GodDamnBeastMonsterPoisonXNirSoft

Full Report

Executive Summary

Researchers from Symantec have uncovered a new ransomware operation dubbed GodDamn, identifying it as the latest evolution of the Beast and Monster ransomware families developed by a threat actor they track as Hyadina. The most alarming aspect of this new strain is its method for evading defenses: it deploys a custom, malicious kernel driver named PoisonX that has been legitimately signed by Microsoft. This allows the attackers to terminate endpoint detection and response (EDR) processes from the kernel level, effectively blinding security solutions before encrypting files. This tactic, a variation of a 'bring-your-own-vulnerable-driver' (BYOVD) attack, represents a significant escalation in ransomware capabilities and poses a grave threat to organizations.

Threat Overview

The GodDamn ransomware, first seen in May 2026, is the latest iteration from the Hyadina threat actor. The operation's standout feature is the use of the g11.sys driver, which they've named PoisonX. This is not a case of exploiting a vulnerability in a legitimate third-party driver; it is a purpose-built malicious driver that the attackers successfully submitted to and had signed by Microsoft's driver signing program. This allows the driver to be loaded into the Windows kernel without triggering security warnings.

Once loaded, the ransomware uses the driver to send specially crafted I/O control (IOCTL) requests to terminate the processes of security products, such as CrowdStrike Falcon. This defense evasion technique, T1562.001 - Impair Defenses: Disable or Modify Tools, is highly effective because the termination command comes from the trusted kernel space, bypassing user-mode protections.

Technical Analysis

The attack chain observed by Symantec is methodical:

  1. Initial Access & Remote Control: The attackers gain remote access using AnyDesk, which they often install in a non-standard location to avoid detection and configure for persistence. This aligns with T1219 - Remote Access Software.
  2. Credential Harvesting: They deploy a toolkit based on NirSoft utilities to perform extensive credential theft (T1003 - OS Credential Dumping). This toolkit targets credentials from web browsers, Windows Credential Manager, VNC sessions, and email clients.
  3. Defense Evasion: The core of the operation. The PoisonX driver (g11.sys) is dropped and loaded. The ransomware executable then communicates with this driver to kill EDR and antivirus processes.
  4. Impact: With defenses disabled, the ransomware proceeds to encrypt files across the system and network shares (T1486 - Data Encrypted for Impact). Encrypted files are appended with extensions like .God8Damn or a victim-specific name.

This use of a signed malicious driver is a significant evolution from typical BYOVD attacks, which rely on finding and exploiting flaws in existing, legitimate drivers. Here, the attackers have weaponized the trust model of Microsoft's own driver signing process.

Impact Assessment

The use of a signed kernel driver to disable security tools makes this ransomware strain particularly dangerous. Organizations that rely solely on EDR/antivirus for protection are left completely vulnerable once the driver is executed. The attack effectively renders the primary defense mechanism inert, guaranteeing the success of the encryption phase. This forces a complete reliance on secondary controls like backups and network segmentation. The incident also puts pressure on Microsoft to tighten its driver signing verification process to prevent malicious code from receiving a stamp of legitimacy.

IOCs — Directly from Articles

  • File Name: g11.sys (PoisonX driver)

Cyber Observables — Hunting Hints

Security teams should hunt for the following patterns:

Type
File Name
Value
g11.sys
Description
The name of the malicious PoisonX driver. Its presence on any system is a critical indicator of compromise.
Type
Certificate Subject
Value
(Suspicious/Unknown Publisher)
Description
Monitor for newly loaded drivers signed by infrequent or unknown publishers, even if the signature is valid.
Type
Process Name
Value
AnyDesk.exe
Description
The presence of AnyDesk running from unusual paths (e.g., C:\Users\Public\) can indicate malicious use.
Type
Event ID
Value
7045 (System Log)
Description
A new service was installed. Correlate this with the loading of a new driver (.sys file).
Type
Command Line Pattern
Value
sc create ... type= kernel
Description
Command to create a new kernel driver service. Monitor for this activity outside of legitimate software installations.

Detection & Response

  • Driver Load Monitoring: Enable and monitor logs related to driver loading (e.g., System Log Event IDs 7045, 600). Use a SIEM to alert on the loading of new, unsigned, or suspiciously signed drivers. This is a form of D3-DLIC: Driver Load Integrity Checking.
  • Tamper Protection: Ensure that the tamper protection features of your EDR/antivirus solution are enabled and configured to their highest level. While kernel-level attacks can bypass some of these, they can still provide some resistance or at least generate alerts.
  • Behavioral Monitoring: Look for the sequence of behaviors: AnyDesk.exe execution, followed by credential dumping tool activity (e.g., NirSoft tools), followed by the creation of a new kernel service. This chain is a strong indicator of this specific attack.
  • Memory Analysis: In a suspected compromise, memory analysis may be able to identify the loaded g11.sys driver and related malicious processes, even if endpoint tools have been terminated.

Mitigation

  • Application Control: Use application control solutions like Windows Defender Application Control (WDAC) to create a policy that only allows known, trusted drivers to be loaded. This can block the execution of the PoisonX driver, even if it is signed, if it's not on your allowlist. This is a direct implementation of D3-EAL: Executable Allowlisting.
  • Restrict Remote Access Software: Block the use of remote access tools like AnyDesk on corporate networks, except for specific, authorized use cases. Use corporate-managed remote access solutions that are centrally logged and monitored.
  • Credential Protection: Implement measures to protect credentials, such as Windows Credential Guard, to make it harder for tools like NirSoft to dump passwords from memory.
  • Immutable Backups: As with all ransomware, having offline, immutable backups is the ultimate safety net, ensuring you can restore data without paying the ransom.

Timeline of Events

1
May 21, 2026
GodDamn ransomware is first observed in the wild.
2
May 29, 2026
Symantec begins investigating a detailed attack chain involving the ransomware.
3
July 9, 2026
This article was published

MITRE ATT&CK Mitigations

Use application control policies like WDAC to restrict which drivers can be loaded, preventing malicious drivers like PoisonX from running.

Mapped D3FEND Techniques:

Monitor for suspicious chains of behavior, such as remote access software launching credential dumpers, which can indicate an attack in progress.

Mapped D3FEND Techniques:

Audit

M1047enterprise

Audit and alert on the installation of new kernel-mode drivers to quickly identify suspicious activity.

Mapped D3FEND Techniques:

Block unauthorized remote access software like AnyDesk from running in the environment.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

The most effective defense against the GodDamn ransomware's core tactic is to implement a strict driver and application allowlisting policy using a tool like Windows Defender Application Control (WDAC). Since the malicious 'PoisonX' driver is legitimately signed by Microsoft, signature-based blocking is ineffective. However, a WDAC policy configured in enforcement mode would prevent this unknown driver from loading because it would not be on the pre-approved list of drivers for the organization. This 'default-deny' posture is crucial. Security teams would need to build and maintain a catalog of all legitimate drivers and software required for business operations (a 'golden image'). While this requires a significant upfront investment in testing and maintenance, it provides a powerful defense that would have stopped this attack vector completely, preventing the EDR from being disabled and allowing it to detect and block the subsequent ransomware execution.

Organizations should implement enhanced monitoring focused on driver loading events. This goes beyond just checking for valid signatures. Security teams should use their SIEM and EDR to monitor Windows System Event Logs (specifically Event ID 7045 for new service installation and driver load events) and correlate this data. Create alerts for any new kernel-mode driver that is loaded if it is not on a pre-vetted list of known good drivers. The alert should be high-priority if the driver is signed by a publisher that has never been seen in the environment before. While the 'PoisonX' driver is signed by Microsoft, its specific certificate and attributes would be novel. This monitoring provides a critical detection opportunity at the exact moment the attacker attempts to deploy their defense evasion tool, allowing for rapid incident response to isolate the host before the EDR is terminated and encryption begins.

Timeline of Events

1
May 21, 2026

GodDamn ransomware is first observed in the wild.

2
May 29, 2026

Symantec begins investigating a detailed attack chain involving the ransomware.

Sources & References

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

RansomwareGodDamnHyadinaPoisonXBYOVDEDRMalwareMicrosoft

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.