The GodDamn ransomware has emerged as a formidable threat in the cybersecurity landscape, utilizing the PoisonX kernel driver to undermine security software. This strategy allows it to evade defenses effectively, according to a recent Symantec Threat Hunter Team report.
Background and Development
Initially detected in the wild on May 21, 2026, GodDamn ransomware is believed to be a rebranded version of the older Beast ransomware, itself a successor of Monster, which first appeared in March 2022. The developer behind these evolving ransomware families, identified as Hyadina, is under scrutiny by Broadcom’s cybersecurity branch.
In a noted attack in early June 2026, threat actors used AnyDesk for remote access and employed a NirSoft-based toolkit to harvest credentials before deploying the ransomware. The method of initial system access remains unclear. The toolkit is adept at extracting sensitive information from various sources, including web browsers, Windows Credential Manager, and live network traffic.
Exploitation Tactics
A significant aspect of the attack involves a user-mode tool masquerading as a Symantec product and the PoisonX driver to deactivate endpoint defenses through a bring your own vulnerable driver (BYOVD) approach. The PoisonX driver is particularly noteworthy for being signed by Microsoft, which enhances its ability to bypass security measures.
This driver is also part of The Gentlemen ransomware-as-a-service (RaaS) arsenal, which provides affiliates with tools to disable system defenses before encryption. Attackers exploit signed drivers to infiltrate systems, as they are automatically loaded by Windows, facilitating the neutralization of antivirus and endpoint detection processes.
Attack Execution and Impact
The attack strategy includes using PsExec for lateral movement, establishing AnyDesk on accessible hosts, and setting it as an auto-start service to maintain persistence. In some instances, the AnyDesk installation is automated using a PowerShell script pre-deployed on the system, indicating a streamlined attack process.
The operation concluded with the ransomware detected on a separate network segment by June 3, affecting files by renaming them with the victim’s name as extensions. CYFIRMA reported that the ransom note directs victims to contact the attackers via email or the qTox encrypted messaging app.
GodDamn’s use of the PoisonX driver signifies a notable advancement in evasion tactics, reflecting Hyadina’s ongoing efforts to enhance its ransomware’s capabilities, as stated by cybersecurity experts.
