>samit_hota
Back to advisories
SH-2026-036CriticalOpen

GodDamn Ransomware Uses Signed PoisonX Kernel Driver to Disable EDR Defenses

Samit Hota·
CVE ID
N/A
CVSS Score
N/A
Affected Products
Organizations targeted by the Hyadina threat actor group using GodDamn ransomware
#news#goddamn

Overview

A new and highly potent ransomware variant, dubbed “GodDamn,” has emerged, posing a significant threat to organizations by leveraging advanced techniques to evade detection and disable security software. Researchers from Symantec and Carbon Black have identified GodDamn as a rebrand of the Beast ransomware, itself an evolution of the Monster ransomware, all attributed to a threat actor tracked as “Hyadina.” What makes GodDamn particularly dangerous is its use of the PoisonX kernel driver, a malicious driver signed by “Microsoft Windows Hardware Compatibility Publisher.” This driver allows the ransomware to neutralize endpoint detection and response (EDR) solutions and other security software at the kernel level, effectively blinding defenses before encryption.

Technical Details

GodDamn ransomware, first observed in late May 2026, shares significant code overlap and operational tactics with its predecessors, Beast (June 2024 rebrand) and Monster (November 2022). The Hyadina group’s attack chain typically involves initial access (vector currently unknown), followed by reconnaissance and credential harvesting using tools like AnyDesk for remote access, NetScan, Mimikatz, and NirSoft password-harvesting utilities. The crucial step in its defense evasion is the deployment of PoisonX. This malicious kernel driver, disguised as legitimate Symantec software (“symantec.exe”), is strategically dropped and used to kill or disable security services. Unlike traditional “bring-your-own-vulnerable-driver” (BYOVD) attacks that exploit flaws in legitimate drivers, PoisonX appears to be an independently developed malicious driver that managed to acquire a legitimate Microsoft signature. This signature allows it to operate with system-level privileges without being flagged as suspicious by the operating system, making it incredibly effective at bypassing EDR and antivirus solutions. PoisonX was previously documented in April 2026 for its use in attacks to kill CrowdStrike Falcon endpoint protection. After successfully neutralizing defenses, GodDamn proceeds with file encryption, typically dropping a ransom note instructing victims to contact the attackers via email or the qTox encrypted messaging app.

Real-World Impact

The real-world impact of GodDamn ransomware attacks is devastating, leading to significant operational disruption, data loss, and substantial financial demands from victims. The ability to deploy a signed kernel driver like PoisonX represents a sophisticated escalation in defense evasion capabilities, making it much harder for organizations to detect and stop the ransomware before it can encrypt critical systems. In observed attacks, there has been a dwell time of approximately five days between initial access and ransomware deployment, allowing threat actors ample time for network reconnaissance, credential harvesting, and data exfiltration before the final encryption stage. The use of legitimate remote access tools and credential dumpers further blurs the lines between legitimate administrative activity and malicious intent, delaying detection. Companies targeted by Hyadina using GodDamn face not only the direct costs of recovery and potential ransom payments but also the long-term consequences of compromised data and damaged reputation.

Threat Landscape

The Hyadina threat group, with its continuous rebranding and evolution of ransomware (Monster, Beast, GodDamn), demonstrates a persistent and adaptive approach to cybercrime. The integration of advanced defense evasion techniques, such as the custom-developed and legitimately signed PoisonX kernel driver, signifies a worrying trend among ransomware operators to invest in tools that challenge even the most robust enterprise security stacks. This suggests an increasing sophistication in the ransomware threat landscape, where groups are moving beyond exploiting known vulnerabilities to developing novel ways to circumvent endpoint protections. The targeting of various enterprise tools and the use of widely available hacking utilities in the attack chain highlight the blend of custom malware and off-the-shelf tools, making attribution and prevention more complex. The “GodDamn’s use of the relatively newly discovered PoisonX malicious driver component represents an escalation in defensive evasion capability by this group, indicating that Hyadina is continuing to actively develop its ransomware and its capabilities,” according to cybersecurity company CYFIRMA.

Remediation

To mitigate the threat of GodDamn ransomware and similar advanced attacks, organizations must adopt a multi-layered security approach focusing on prevention, detection, and response.

  1. Enhanced Endpoint Security: While PoisonX aims to disable EDR, organizations should still deploy robust EDR solutions with advanced behavioral analysis capabilities that can detect anomalies even when kernel drivers attempt to interfere.
  2. Driver Control Policies: Implement strict driver control policies to prevent the installation of unsigned or unapproved kernel drivers. Investigate any drivers with unusual or unexpected signing certificates, even if they appear legitimate.
  3. Privilege Management: Enforce the principle of least privilege across the entire network, limiting administrative access and ensuring users only have the permissions necessary for their roles.
  4. Network Segmentation: Segment networks to limit lateral movement by attackers, making it harder for ransomware to spread from compromised endpoints to critical systems.
  5. Strong Authentication: Implement multi-factor authentication (MFA) for all accounts, especially for remote access and privileged accounts, to reduce the risk of credential theft and abuse.
  6. Regular Backups: Maintain immutable, off-site backups of all critical data to ensure recovery in the event of a successful ransomware attack.
  7. Threat Intelligence: Stay informed about the latest tactics, techniques, and procedures (TTPs) used by groups like Hyadina to better prepare and strengthen defenses.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call