GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver to Disable Defenses
Key Takeaways GodDamn ransomware, a rebrand of the Beast and Monster strains, employs a sophisticated kernel driver, PoisonX, to disable endpoint security. The PoisonX driver is signed with a...
Key Takeaways
- GodDamn ransomware, a rebrand of the Beast and Monster strains, employs a sophisticated kernel driver, PoisonX, to disable endpoint security.
- The PoisonX driver is signed with a legitimate Microsoft signature, making it difficult for traditional security measures to detect.
- Attackers use standard remote access tools and credential theft utilities, combined with kernel-level defense evasion, to establish persistence and spread within networks.
- A recent attack demonstrated initial access followed by a four-day reconnaissance period before ransomware deployment, affecting at least ten hosts.
GodDamn ransomware has emerged as a significant and evolving cyber threat, representing the third iteration of a ransomware family that has been active since 2022. This variant distinguishes itself not only through its encryption capabilities but, more critically, by its use of a malicious kernel driver designed to neutralize security tools before initiating an attack. This blend of stealth and persistence allows threat actors to navigate compromised networks with alarming efficiency.
Table Of Content
The individuals behind GodDamn leverage a familiar arsenal of remote access tools, credential harvesting utilities, and lateral movement techniques. However, they have integrated a potent layer of defense evasion. By deploying a signed, yet malicious, driver in conjunction with a deceptive security tool, they can disable endpoint protection at the kernel level. This approach is far more challenging for defenders to detect compared to conventional malware behaviors. This sophisticated methodology has already proven effective in a documented intrusion analyzed by cybersecurity researchers.
Analysts from Symantec identified the connection between GodDamn and its predecessors, tracing its lineage directly back to the Monster ransomware, first observed in 2022. According to The Threat Hunter Team, part of Symantec and Carbon Black, said in a report shared with Cyber Security News (CSN), the developer, tracked as Hyadina, continuously refines its tools with each new rebrand.
The impact of this activity was substantial for the organization targeted in the investigated incident. Attackers gained initial access on a single machine and subsequently spread to a minimum of ten hosts before deploying the ransomware. The four-day interval between initial access and encryption suggests the group utilized this period for reconnaissance, credential harvesting, or data exfiltration.
GodDamn is not an entirely novel threat but the latest moniker for a persistent ransomware lineage that has consistently adapted. Understanding its origins and current operational tactics is crucial for network defenders to implement timely and effective detection and mitigation strategies.
GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver
GodDamn’s origins can be traced to Monster, a ransomware strain developed in Delphi that first surfaced in March 2022. This initial version targeted 32-bit Windows systems and specifically avoided machines located in the Commonwealth of Independent States. Hyadina operated Monster as a ransomware-as-a-service (RaaS) model, collaborating with affiliates who frequently employed tools like Mimikatz and various NirSoft password recovery utilities.
In June 2024, the group rebranded its operations as Beast. This evolution introduced support for Linux and VMware ESXi systems, alongside enhancements to the encryption process. Beast also incorporated multilingual support, including Chinese, indicating a strategic effort by the operators to broaden their victim pool beyond previous geographical and linguistic constraints.
By 2025, Beast attacks had integrated additional tools, such as the Gmer rootkit scanner for terminating processes, Defender Control for disabling Windows Defender, and IObit Unlocker for unlocking files. GodDamn continues this pattern of evolution. In some instances, it renames encrypted files with the .God8Damn extension, although in the observed case, files were renamed using the victim organization’s name instead.
PoisonX Driver Disables Defenses
The most critical new feature introduced in this GodDamn attack is the PoisonX kernel driver. This driver was first documented in early 2026 when it was used to terminate the CrowdStrike Falcon service by sending a specially crafted command to its hidden interface. Critically, the PoisonX driver possesses a legitimate Microsoft signature, allowing it to appear trustworthy to the operating system despite its malicious intent.
This situation differs from typical “bring-your-own-vulnerable-driver” (BYOVD) scenarios, where attackers exploit existing flaws in legitimate software. Instead, PoisonX appears to have been specifically developed for malicious purposes and somehow managed to obtain a valid Microsoft signature. This signature enables it to terminate security processes and remove protective hooks at the kernel level, effectively blinding endpoint security solutions.
In the analyzed attack, the PoisonX driver was deployed alongside a deceptive executable named symantec.exe, which was designed to impersonate a legitimate security product while surreptitiously disabling Windows Defender’s real-time monitoring. Following this, the attackers leveraged PsExec to execute commands across the network, installed AnyDesk on multiple hosts for persistent remote access, and finally launched the GodDamn ransomware binary.
Given the advanced nature of this toolset, organizations must remain vigilant for unauthorized kernel driver installations, restrict the use of remote access tools like AnyDesk to approved configurations, and ensure endpoint detection and response (EDR) solutions are updated to counter BYOVD-style techniques. Reviewing the Symantec Protection Bulletin for the latest detection signatures is also recommended for defense teams.
What You Should Do
- Actively monitor for unauthorized kernel driver installations, especially those with suspicious digital signatures or unknown origins.
- Implement strict application whitelisting to prevent the execution of unapproved tools, including remote access software like AnyDesk, PsExec, and NirSoft utilities.
- Ensure all endpoint detection and response (EDR) solutions are fully updated and configured to detect and block BYOVD (Bring Your Own Vulnerable Driver) techniques.
- Regularly review and update security policies related to administrative shares and remote access protocols to prevent lateral movement.
- Educate users and IT staff on identifying phishing attempts and social engineering tactics that could lead to initial access.
- Consult the latest Indicators of Compromise (IoCs) for proactive threat hunting.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.