GodDamn Ransomware Leverages Microsoft-Signed Driver for Attacks

GodDamn Ransomware Leverages Microsoft-Signed Driver for Attacks

First seen 9 Jul 2026, 14:11 UTC DarkreadingGbhackersFeeds.4SysopsSecuritycore-jmp.org 81% similarity 70.2

Article Content

Browse articles
ThreatCluster

The GodDamn ransomware, a rebrand of the Beast and Monster strains, has emerged as a significant threat, primarily targeting American organizations across various sectors. The threat group Hyadina utilized a malicious kernel driver named PoisonX, which is signed by Microsoft, to disable endpoint security measures. Initial access was gained through AnyDesk, found in an unusual location on infected systems, with credential harvesting conducted using a NirSoft-based toolkit. The attack was first observed on May 29, 2026, with the deployment of the ransomware occurring shortly after. The encrypted files were renamed with the victim organization's name as the extension, which is atypical. The use of dual-use tools and the sophisticated evasion techniques employed indicate a high level of operational maturity within the group. Current investigations are ongoing to determine the full scope of the impact and the initial infection vector.

Key Points: • GodDamn ransomware is a rebrand of previous strains, targeting U.S. organizations. • The PoisonX driver, signed by Microsoft, is used to disable security software. • Initial access was gained through AnyDesk, with credential harvesting via NirSoft tools.

ThreatCluster AI

Timeline

2026-05-29
Initial malicious activity detected
AnyDesk was found in an unusual location on an infected computer, indicating prior access by attackers.
Security
2026-05-30
Deployment of defense evasion tools
Attackers deployed a malicious binary named symantec.exe and the PoisonX driver on a second infected computer.
Darkreading
2026-06-01
Ransomware deployment observed
The GodDamn ransomware was deployed, encrypting files and renaming them with the victim's organization name as the extension.
Security
2026-07-09
Public awareness raised
Multiple cybersecurity articles published detailing the GodDamn ransomware and its operational methods.
Darkreading

Community

Browse all →