Overview
A new ransomware strain dubbed GodDamn has surfaced, marking the third rebrand of a lineage that began with Monster (2022) and later evolved into Beast (2024–2025). What sets GodDamn apart is its use of the PoisonX kernel driver, a malicious yet signed driver that disables endpoint protection at the kernel level — a tactic far more stealthy and persistent than typical malware.
How GodDamn Operates
The attackers, tracked as Hyadina, rely on a familiar toolkit of remote access tools, credential theft utilities, and lateral movement techniques.
Key innovations in GodDamn:
- PoisonX Driver — a malicious kernel driver carrying a valid Microsoft signature, enabling it to terminate security processes like CrowdStrike Falcon and strip protective hooks.
- Fake Security Tool — dropped as
symantec.exe, impersonating trusted software while disabling Windows Defender’s real‑time monitoring. - Network Propagation — attackers used PsExec to push commands, installed AnyDesk for persistence, and launched the ransomware binary across multiple hosts.
Evolution of the Ransomware Family
- Monster (2022): Written in Delphi, targeted 32‑bit Windows, avoided CIS countries.
- Beast (2024): Expanded to Linux and VMware ESXi, introduced multilingual support, improved encryption.
- Beast (2025): Added tools like Gmer rootkit scanner, Defender Control, and IObit Unlocker.
- GodDamn (2026): Introduces PoisonX driver, renames encrypted files with
.God8Damnor victim‑specific extensions.
This lineage shows a clear pattern: continuous refinement of tools to evade defenses and maximize impact.
Real‑World Intrusion
Symantec researchers observed GodDamn in action:
- Attackers gained initial access, spread to 10+ hosts, and waited four days before encryption.
- This dwell time was used for reconnaissance, credential harvesting, and data theft.
- The attack demonstrated how kernel‑level defense evasion can blind security tools, leaving organizations exposed.
Indicators of Compromise (IoCs)
Symantec published IoCs including:
- File Hashes:
g11.sys(PoisonX driver),symantec.exe(fake tool),anydesk.exe,mimik.exe,chromepass.exe, among others. - IP Addresses: Multiple AnyDesk relay infrastructure endpoints.
- Tools Used: PsExec, Mimikatz, NirSoft utilities, and custom credential stealers.
Organizations should monitor for unauthorized kernel driver installs and restrict remote tools like AnyDesk to approved configurations.
Defensive Recommendations
- Update endpoint detection to recognize BYOVD‑style techniques.
- Audit driver installs for suspicious kernel modules.
- Review Symantec Protection Bulletin for updated detection signatures.
- Segment networks to reduce lateral movement opportunities.
- Train staff to recognize early signs of compromise.
Expert in the Cloud Insight
GodDamn ransomware demonstrates how attackers are weaponizing signed drivers to bypass traditional defenses. This is not a routine malware evolution — it’s a strategic leap in defense evasion.
For defenders, the lesson is clear: kernel‑level visibility, strict driver policies, and rapid detection of anomalous installs are now essential. Ransomware families like GodDamn prove that adversaries will continue to adapt, and only proactive defense can keep pace.
Leave a Reply