Researchers from Symantec have uncovered a new ransomware operation dubbed GodDamn, identifying it as the latest evolution of the Beast and Monster ransomware families developed by a threat actor they track as Hyadina. The most alarming aspect of this new strain is its method for evading defenses: it deploys a custom, malicious kernel driver named PoisonX that has been legitimately signed by Microsoft. This allows the attackers to terminate endpoint detection and response (EDR) processes from the kernel level, effectively blinding security solutions before encrypting files. This tactic, a variation of a 'bring-your-own-vulnerable-driver' (BYOVD) attack, represents a significant escalation in ransomware capabilities and poses a grave threat to organizations.
The GodDamn ransomware, first seen in May 2026, is the latest iteration from the Hyadina threat actor. The operation's standout feature is the use of the g11.sys driver, which they've named PoisonX. This is not a case of exploiting a vulnerability in a legitimate third-party driver; it is a purpose-built malicious driver that the attackers successfully submitted to and had signed by Microsoft's driver signing program. This allows the driver to be loaded into the Windows kernel without triggering security warnings.
Once loaded, the ransomware uses the driver to send specially crafted I/O control (IOCTL) requests to terminate the processes of security products, such as CrowdStrike Falcon. This defense evasion technique, T1562.001 - Impair Defenses: Disable or Modify Tools, is highly effective because the termination command comes from the trusted kernel space, bypassing user-mode protections.
The attack chain observed by Symantec is methodical:
T1219 - Remote Access Software.T1003 - OS Credential Dumping). This toolkit targets credentials from web browsers, Windows Credential Manager, VNC sessions, and email clients.PoisonX driver (g11.sys) is dropped and loaded. The ransomware executable then communicates with this driver to kill EDR and antivirus processes.T1486 - Data Encrypted for Impact). Encrypted files are appended with extensions like .God8Damn or a victim-specific name.This use of a signed malicious driver is a significant evolution from typical BYOVD attacks, which rely on finding and exploiting flaws in existing, legitimate drivers. Here, the attackers have weaponized the trust model of Microsoft's own driver signing process.
The use of a signed kernel driver to disable security tools makes this ransomware strain particularly dangerous. Organizations that rely solely on EDR/antivirus for protection are left completely vulnerable once the driver is executed. The attack effectively renders the primary defense mechanism inert, guaranteeing the success of the encryption phase. This forces a complete reliance on secondary controls like backups and network segmentation. The incident also puts pressure on Microsoft to tighten its driver signing verification process to prevent malicious code from receiving a stamp of legitimacy.
g11.sys (PoisonX driver)Security teams should hunt for the following patterns:
g11.sysAnyDesk.exeC:\Users\Public\) can indicate malicious use..sys file).sc create ... type= kernelD3-DLIC: Driver Load Integrity Checking.AnyDesk.exe execution, followed by credential dumping tool activity (e.g., NirSoft tools), followed by the creation of a new kernel service. This chain is a strong indicator of this specific attack.g11.sys driver and related malicious processes, even if endpoint tools have been terminated.PoisonX driver, even if it is signed, if it's not on your allowlist. This is a direct implementation of D3-EAL: Executable Allowlisting.Use application control policies like WDAC to restrict which drivers can be loaded, preventing malicious drivers like PoisonX from running.
Monitor for suspicious chains of behavior, such as remote access software launching credential dumpers, which can indicate an attack in progress.
Mapped D3FEND Techniques:
Audit and alert on the installation of new kernel-mode drivers to quickly identify suspicious activity.
Mapped D3FEND Techniques:
Block unauthorized remote access software like AnyDesk from running in the environment.
Mapped D3FEND Techniques:
The most effective defense against the GodDamn ransomware's core tactic is to implement a strict driver and application allowlisting policy using a tool like Windows Defender Application Control (WDAC). Since the malicious 'PoisonX' driver is legitimately signed by Microsoft, signature-based blocking is ineffective. However, a WDAC policy configured in enforcement mode would prevent this unknown driver from loading because it would not be on the pre-approved list of drivers for the organization. This 'default-deny' posture is crucial. Security teams would need to build and maintain a catalog of all legitimate drivers and software required for business operations (a 'golden image'). While this requires a significant upfront investment in testing and maintenance, it provides a powerful defense that would have stopped this attack vector completely, preventing the EDR from being disabled and allowing it to detect and block the subsequent ransomware execution.
Organizations should implement enhanced monitoring focused on driver loading events. This goes beyond just checking for valid signatures. Security teams should use their SIEM and EDR to monitor Windows System Event Logs (specifically Event ID 7045 for new service installation and driver load events) and correlate this data. Create alerts for any new kernel-mode driver that is loaded if it is not on a pre-vetted list of known good drivers. The alert should be high-priority if the driver is signed by a publisher that has never been seen in the environment before. While the 'PoisonX' driver is signed by Microsoft, its specific certificate and attributes would be novel. This monitoring provides a critical detection opportunity at the exact moment the attacker attempts to deploy their defense evasion tool, allowing for rapid incident response to isolate the host before the EDR is terminated and encryption begins.
GodDamn ransomware is first observed in the wild.
Symantec begins investigating a detailed attack chain involving the ransomware.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.