GodDamn ransomware uses the signed PoisonX driver to disable security tools, marking a more advanced version of the Beast ransomware family.Symantec’s Threat Hunter Team found a new ransomware family called GodDamn that first appeared in the wild on May 21, 2026, and analyzed an attack that took place in early June. The group behind it, which Symantec tracks as Hyadina, has been running ransomware operations since March 2022. GodDamn is their third product: Monster came first, Beast followed in June 2024, and now this.The lineage isn’t speculation. Symantec researchers noticed significant code overlap between GodDamn and Beast, and the operational toolset, including AnyDesk for remote access, NirSoft-based credential stealers, and the same avoidance of targets in CIS countries, runs consistently across all three iterations.“Analysis of a recent GodDamn ransomware attack indicates that this seemingly new ransomware is in fact the latest rebrand of the Beast ransomware, which in itself was a rebrand of the Monster ransomware, which was first seen in 2022.” reads the report published by Symantec. “The Symantec Threat Hunter Team tracks the developer behind these ransomware families as Hyadina.”The headline upgrade in GodDamn is the use of PoisonX, a kernel driver that carries a valid Microsoft signature. That signature matters because Windows loads signed drivers automatically, and a driver running at kernel level can terminate security software processes, strip away the permissions those tools need to function, or tamper with the kernel’s internal event notifications so that security products stop receiving alerts about what’s happening on the machine. They keep running, but they’re effectively blind.Most bring-your-own-vulnerable-driver (BYOVD) attacks exploit a legitimate but flawed driver that already exists. PoisonX is different. The cybersecurity community first observed the use of the PoisonX kernel driver in early 2026 when attackers used it to disable security software. At the time, threat actors used it to kill the CrowdStrike Falcon service by sending a crafted IOCTL to the driver’s undocumented interface. “The driver is signed by Microsoft and so to the system it appears to be a legitimate driver. This means it can be used to stop or disable security software at the kernel level. We commonly call this type of defense evasion a bring-your-own-vulnerable-driver (BYOVD) attack, where a vulnerability in a legitimate driver is exploited to shut down defenses.” continues the report. “However, the PoisonX driver seems to be slightly more unusual, in that it appears to be a malicious driver that its developers succeeded in getting signed by Microsoft, and it is now being used by ransomware attackers.”Now PoisonX is part of GodDamn’s standard toolkit, and it’s also been adopted by the operators of The Gentlemen ransomware-as-a-service scheme in their custom defense-disabling tool handed to affiliates.The initial access vector for the investigated attack is unknown. The first confirmed malicious activity appeared on May 29, when AnyDesk turned up on a host inside the organization, placed in the user’s Music folder rather than a standard installation directory. That location is consistent with manual delivery by an attacker who’d already obtained access through some earlier means.The next day, the attackers deployed their defense evasion capabilities on a second host. A file named symantec.exe, staged in the Music folder and designed to look like a Symantec product, dropped the PoisonX driver into the system driver store as g11.sys. On the same host, a credential-harvesting toolkit appeared in a subdirectory of the user profile containing 14 separate tools: Mimikatz, WebBrowserPassView, ChromePass, PasswordFox, MessengerPass, VNCPassView, MailPassView, SniffPass, OperaPassView, CredentialsFileView, WirelessKeyView, ExtPassword, PSTPassword, and NetPass. Together they cover browsers, Windows Credential Manager, cached domain credentials, VNC sessions, email clients, Wi-Fi profiles, and live network traffic. Netscan.exe was included to map reachable hosts. That’s a thorough shopping list.After a two-day gap, lateral movement began on June 1 using PsExec, with all commands sharing a process chain through psexesvc.exe, services.exe, and wininit.exe. The attackers disabled Windows Defender real-time monitoring and mounted administrative shares using stolen credentials to reach adjacent systems. “There was then a gap in activity by the attackers of approximately two days. On June 1, 2026, lateral movement began across the enterprise network.” states Symantec. “All malicious commands during this phase shared a process lineage running through psexesvc.exe, services.exe, and wininit.exe, confirming that PsExec was being used to push commands to remote targets. “On each host they reached, they configured AnyDesk for unattended access: a dedicated configuration directory was created, the interactive consent prompt was suppressed, and a remote access password was set by piping it directly to AnyDesk’s standard input.AnyDesk was then registered as two separate auto-start Windows services to survive reboots, with a PowerShell pre-staged installer used on some machines to streamline the rollout. “After completing the AnyDesk setup on each host, the attackers terminated the running AnyDesk process, waited briefly, then rebooted the machine.” continues the report. “By the end of June 2, this deployment sequence had been repeated across at least 10 hosts within the targeted organization.” The four-day gap between the first activity on May 29 and encryption starting June 3 is consistent with a dwell period used for staging, data exfiltration, or further reconnaissance.GodDamn ransomware was first detected on June 3 on a separate network segment belonging to a distinct part of the organization. The binary was named encrypter-windows-gui-x86.exe and appeared in user Downloads and Music folders. In some attacks, encrypted files are renamed with the .God8Damn extension. In this particular incident, the attackers used the victim organization’s own name as the file extension, which Symantec describes as somewhat unusual. Victims are directed to contact the attackers via email or the qTox encrypted messaging app.Let’s look at the threat actor behind the new ransomware family. Hyadina’s track record since 2022 shows a consistent pattern: take what worked before, fix the detection problems, add new capabilities, rebrand. Monster used Delphi and targeted 32-bit Windows. Beast added Linux and VMware ESXi support, expanded language options including Chinese, and improved encryption performance. GodDamn adds a legitimately signed malicious kernel driver. As Symantec observed about the original Monster attacks: “One of the hallmarks of a November 2022 Monster attack documented by Symantec was the use by the attackers of a password protected self-extracting archive containing the Mimikatz credential-dumping tool and a large number of password-harvesting tools developed by NirSoft, much like the tools we saw used in this recent GodDamn attack, with many of the same tools used, including AnyDesk and NetScan also.” The toolset hasn’t changed much in four years. The evasion techniques have.“GodDamn appears to be the latest ransomware iteration from this group, which continues to develop its stealth and defense evasion capabilities. GodDamn’s use of the relatively newly discovered PoisonX malicious driver component represents an escalation in defensive evasion capability by this group, indicating that Hyadina is continuing to actively develop its ransomware and its capabilities.” concludes the report.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, GodDamn Ransomware)