GodDamn Ransomware Exploits Microsoft-Signed Driver to Evade Security

GodDamn Ransomware Exploits Microsoft-Signed Driver to Evade Security

First seen 9 Jul 2026, 14:11 UTC DarkreadingFeeds.4Sysopscore-jmp.org 81% similarity 69.5

Article Content

Browse articles
ThreatCluster

The GodDamn ransomware, a rebranding of previous strains, is being deployed by the Hyadina group to target U.S. organizations across various sectors. This ransomware utilizes a malicious kernel driver, PoisonX, which was improperly signed by Microsoft, to disable endpoint security tools. Initial access is gained through legitimate remote desktop software like AnyDesk, followed by the deployment of a credential-harvesting toolkit that includes multiple NirSoft utilities. The toolkit is designed to extract sensitive information such as browser histories and Wi-Fi profiles. The attacks have been observed in sectors including healthcare and manufacturing. Researchers emphasize the importance of behavioral protection to counter such sophisticated evasion techniques. The use of a Microsoft-signed driver raises significant concerns about the integrity of software signing processes. The attack methodology highlights the risks associated with dual-use tools in the hands of cybercriminals.

Key Points: • GodDamn ransomware targets U.S. organizations using a Microsoft-signed malicious driver. • Initial access is achieved via remote desktop tools like AnyDesk. • The attack employs a toolkit of NirSoft utilities for credential harvesting.

ThreatCluster AI

Timeline

2026-04-07
PoisonX driver published
The malicious driver PoisonX was published on GitHub, described as a 'research tool' by its author.
Darkreading
2026-05-29
Initial signs of GodDamn ransomware attack
Hyadina group used AnyDesk loaded in a Music folder on an infected computer to gain access.
Darkreading
2026-05-30
Malicious binary deployed
A binary named symantec.exe was dropped on a second infected computer, part of the ransomware attack.
Darkreading

Community

Browse all →