GodDamn Ransomware Uses PoisonX to Blind Security Software


GodDamn Ransomware Uses PoisonX to Blind Security Software

Pierluigi Paganini
July 09, 2026

GodDamn ransomware uses the signed PoisonX driver to disable security tools, marking a more advanced version of the Beast ransomware family.

Symantec’s Threat Hunter Team found a new ransomware family called GodDamn that first appeared in the wild on May 21, 2026, and analyzed an attack that took place in early June. The group behind it, which Symantec tracks as Hyadina, has been running ransomware operations since March 2022. GodDamn is their third product: Monster came first, Beast followed in June 2024, and now this.

The lineage isn’t speculation. Symantec researchers noticed significant code overlap between GodDamn and Beast, and the operational toolset, including AnyDesk for remote access, NirSoft-based credential stealers, and the same avoidance of targets in CIS countries, runs consistently across all three iterations.

“Analysis of a recent GodDamn ransomware attack indicates that this seemingly new ransomware is in fact the latest rebrand of the Beast ransomware, which in itself was a rebrand of the Monster ransomware, which was first seen in 2022.” reads the report published by Symantec. “The Symantec Threat Hunter Team tracks the developer behind these ransomware families as Hyadina.”

The headline upgrade in GodDamn is the use of PoisonX, a kernel driver that carries a valid Microsoft signature. That signature matters because Windows loads signed drivers automatically, and a driver running at kernel level can terminate security software processes, strip away the permissions those tools need to function, or tamper with the kernel’s internal event notifications so that security products stop receiving alerts about what’s happening on the machine. They keep running, but they’re effectively blind.

Most bring-your-own-vulnerable-driver (BYOVD) attacks exploit a legitimate but flawed driver that already exists. PoisonX is different.

The cybersecurity community first observed the use of the PoisonX kernel driver in early 2026 when attackers used it to disable security software. At the time, threat actors used it to kill the CrowdStrike Falcon service by sending a crafted IOCTL to the driver’s undocumented interface.

“The driver is signed by Microsoft and so to the system it appears to be a legitimate driver. This means it can be used to stop or disable security software at the kernel level. We commonly call this type of defense evasion a bring-your-own-vulnerable-driver (BYOVD) attack, where a vulnerability in a legitimate driver is exploited to shut down defenses.” continues the report. “However, the PoisonX driver seems to be slightly more unusual, in that it appears to be a malicious driver that its developers succeeded in getting signed by Microsoft, and it is now being used by ransomware attackers.”

Now PoisonX is part of GodDamn’s standard toolkit, and it’s also been adopted by the operators of The Gentlemen ransomware-as-a-service scheme in their custom defense-disabling tool handed to affiliates.

The initial access vector for the investigated attack is unknown. The first confirmed malicious activity appeared on May 29, when AnyDesk turned up on a host inside the organization, placed in the user’s Music folder rather than a standard installation directory. That location is consistent with manual delivery by an attacker who’d already obtained access through some earlier means.

The next day, the attackers deployed their defense evasion capabilities on a second host.

A file named symantec.exe, staged in the Music folder and designed to look like a Symantec product, dropped the PoisonX driver into the system driver store as g11.sys. On the same host, a credential-harvesting toolkit appeared in a subdirectory of the user profile containing 14 separate tools: Mimikatz, WebBrowserPassView, ChromePass, PasswordFox, MessengerPass, VNCPassView, MailPassView, SniffPass, OperaPassView, CredentialsFileView, WirelessKeyView, ExtPassword, PSTPassword, and NetPass. Together they cover browsers, Windows Credential Manager, cached domain credentials, VNC sessions, email clients, Wi-Fi profiles, and live network traffic. Netscan.exe was included to map reachable hosts. That’s a thorough shopping list.

After a two-day gap, lateral movement began on June 1 using PsExec, with all commands sharing a process chain through psexesvc.exe, services.exe, and wininit.exe. The attackers disabled Windows Defender real-time monitoring and mounted administrative shares using stolen credentials to reach adjacent systems.

“There was then a gap in activity by the attackers of approximately two days. On June 1, 2026, lateral movement began across the enterprise network.” states Symantec. “All malicious commands during this phase shared a process lineage running through psexesvc.exe, services.exe, and wininit.exe, confirming that PsExec was being used to push commands to remote targets. “

On each host they reached, they configured AnyDesk for unattended access: a dedicated configuration directory was created, the interactive consent prompt was suppressed, and a remote access password was set by piping it directly to AnyDesk’s standard input.

AnyDesk was then registered as two separate auto-start Windows services to survive reboots, with a PowerShell pre-staged installer used on some machines to streamline the rollout.

“After completing the AnyDesk setup on each host, the attackers terminated the running AnyDesk process, waited briefly, then rebooted the machine.” continues the report. “By the end of June 2, this deployment sequence had been repeated across at least 10 hosts within the targeted organization.”

The four-day gap between the first activity on May 29 and encryption starting June 3 is consistent with a dwell period used for staging, data exfiltration, or further reconnaissance.

GodDamn ransomware was first detected on June 3 on a separate network segment belonging to a distinct part of the organization. The binary was named encrypter-windows-gui-x86.exe and appeared in user Downloads and Music folders. In some attacks, encrypted files are renamed with the .God8Damn extension. In this particular incident, the attackers used the victim organization’s own name as the file extension, which Symantec describes as somewhat unusual. Victims are directed to contact the attackers via email or the qTox encrypted messaging app.

Let’s look at the threat actor behind the new ransomware family. Hyadina’s track record since 2022 shows a consistent pattern: take what worked before, fix the detection problems, add new capabilities, rebrand. Monster used Delphi and targeted 32-bit Windows. Beast added Linux and VMware ESXi support, expanded language options including Chinese, and improved encryption performance. GodDamn adds a legitimately signed malicious kernel driver.

As Symantec observed about the original Monster attacks: “One of the hallmarks of a November 2022 Monster attack documented by Symantec was the use by the attackers of a password protected self-extracting archive containing the Mimikatz credential-dumping tool and a large number of password-harvesting tools developed by NirSoft, much like the tools we saw used in this recent GodDamn attack, with many of the same tools used, including AnyDesk and NetScan also.”

The toolset hasn’t changed much in four years. The evasion techniques have.

“GodDamn appears to be the latest ransomware iteration from this group, which continues to develop its stealth and defense evasion capabilities. GodDamn’s use of the relatively newly discovered PoisonX malicious driver component represents an escalation in defensive evasion capability by this group, indicating that Hyadina is continuing to actively develop its ransomware and its capabilities.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, GodDamn Ransomware)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


TL;DR

Meta stripped NameTag facial recognition code from its AI app one day after WIRED exposed it on 50 million phones. Meta says no decision has been made.

Meta removed nearly all traces of an unreleased facial recognition system from its smart glasses companion app on Friday, one day after WIRED reported that the software had been quietly embedded in an app installed on more than 50 million phones. The feature, which Meta internally called NameTag, was designed to convert faces captured by the company’s Ray-Ban smart glasses into unique biometric signatures and compare them against a database stored on the user’s device. WIRED also found that faces the system failed to recognise were cropped, indexed, and stored locally for future processing.

Andy Stone, Meta’s vice president of communications, told WIRED on Monday that the feature is “purely exploratory,” adding that no final decision has been made on what to do with it. That characterisation sits uneasily with the evidence WIRED documented. The version of Meta AI published the day of WIRED’s Thursday report contained several code libraries explicitly named for face recognition, a process for running the NameTag recognition pipeline, and a “Person recognised” alert the app would have shown if someone were identified.

Friday’s release stripped all of it out, along with a folder where the app would have stored the cropped images and biometric signatures of unrecognised faces. Meta did not answer WIRED’s questions about why the code was removed or whether the changes were planned before the story was published. A few fragments remain in the latest version, including an internal debug menu label and a dormant link meant to open a recognised person’s profile, pointing to parts of the system that are no longer there.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

The gap between Meta’s public statements and the code WIRED found is the central tension. Before the Thursday report, Stone dismissed the findings by writing that the company could not answer questions about how the system would work because “the feature does not exist.” Andrew Bosworth, Meta’s chief technology officer, called the reporting “incredibly misleading” and “absolutely dishonest.” Yet the code was functional enough to include three AI models, one to detect faces, another to crop them, and a third to encode them as biometric data, all embedded in the companion app for a product already at the centre of a mounting privacy crisis.

Meta declined to answer ten questions WIRED posed before publishing, including whether it had already created the database of face profiles NameTag uses, how long the app retains photographs and biometric data of unrecognised people, and whether that data would ever be sent back to Meta’s servers. The company also did not respond to questions about whether it was building NameTag for blind or low-vision users, or to criticism from privacy advocates who warned the system could let stalkers and abusers identify strangers in public.

NameTag first surfaced in February, when The New York Times, citing internal Meta documents, reported that the company was developing face recognition for its smart glasses and considering a launch as early as this year. One internal memo reportedly described releasing the feature during a “dynamic political environment” when privacy and civil liberties advocates would be distracted by other concerns. WIRED subsequently found that much of NameTag’s machinery had been built into the Meta AI app as early as January, months before any public acknowledgement, adding another layer to the company’s pattern of shipping first and disclosing later when it comes to its smart glasses.

Kade Crockford, director of the technology for liberty programme at the American Civil Liberties Union of Massachusetts, said the removal does not undo the original decision to ship the code and pointed to it as evidence that consumer privacy needs stronger legal protection than Congress has been willing to provide. The Massachusetts House of Representatives last week unanimously passed a consumer privacy bill that, if enacted as written, would impose strong enforcement provisions including a private right of action allowing aggrieved users to sue. “State lawmakers need to do their job and step up to protect consumer privacy,” Crockford said.

Meta’s sneaky tactics in slipping the face-recognition code into its smart glasses show exactly why data privacy bills need the teeth of strong enforcement,” Crockford added. “Companies like Meta prioritise their bottom line, so lawmakers need to speak in the only language its C-suite understands.” Whether a code removal prompted by investigative reporting constitutes a victory or merely a tactical retreat depends on what Meta does next, and on whether the regulatory pressure building on both sides of the Atlantic produces enforceable consequences before the feature quietly returns under a different name.



Source link