On July 9, 2026, Symantec's Threat Hunter Team disclosed an attack that challenges the Windows kernel trust model: the GodDamn ransomware, a rebrand of the Hyadina family, used the malicious PoisonX driver — signed with a Microsoft Windows Hardware Compatibility Publisher certificate — to disable endpoint protections before file encryption. The incident, which occurred between May and June in an unidentified corporate network, demonstrates that the BYOVD (Bring Your Own Vulnerable Driver) technique has moved beyond flawed legitimate drivers: attackers now employ components that appear purpose-built for malicious use and carry valid signatures.
- GodDamn is a rebrand of Beast ransomware, itself an evolution of Monster (March 2022); the group is tracked as Hyadina
- The PoisonX driver (file g11.sys) is signed with a Microsoft certificate and can terminate security processes and remove user-mode API hooks
- A tool named 'symantec.exe' installs PoisonX into the host's system driver store
- Attackers deployed AnyDesk on at least 10 hosts and used PsExec for lateral movement, with a 4-day gap between first observed activity and ransomware detection
The Signature Paradox: When the Certificate Becomes a Weapon
The core mechanism of the attack is the abuse of the trust model governing driver loading in Windows. Because the OS automatically loads drivers signed by recognized entities, PoisonX gains kernel access without triggering reputation-based alerts. Symantec documented that the driver, identified as g11.sys with SHA-256 hash 2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d, can terminate security product processes and remove user-mode API hooks, rendering the endpoint blind to the subsequent ransomware payload deployment.
The difference from classic BYOVD is substantial. In the traditional variant, widely documented across the industry, attackers abuse vulnerable legitimate drivers already present on the system or publicly downloadable. PoisonX, by contrast, "appears to be a malicious driver that its developers managed to get signed by Microsoft," as stated by the Symantec Threat Hunter Team. This shifts the problem from patch management and blocklists to a question of certification process integrity itself.
Timeline of an Infiltration: 4 Days of Dwell Time
Symantec's analysis reconstructs a precise chronology. The earliest observed malicious activity in the target organization dates to May 29, 2026. By June 2, attackers had deployed AnyDesk on at least 10 hosts in the network, using PsExec for lateral movement. The GodDamn ransomware was detected on June 3 on a separate network segment, with a 4-day interval that Symantec interprets as dwell time — the period during which operators maintain access without triggering the final payload.
During this phase, attackers conducted systematic credential harvesting via a toolkit comprising 14 tools based on NirSoft utilities, including Mimikatz, WebBrowserPassView, ChromePass, PasswordFox, MessengerPass, VNCPassView, MailPassView, SniffPass, OperaPassView, CredentialsFileView, WirelessKeyView, ExtPassword, PSTPassword, NetPass, plus the addition of Netscan.exe. This harvesting arsenal evidently fueled the ability to propagate laterally across the infrastructure.
Persistence and Remote Access: The Compromise Chain
AnyDesk was not the initial access vector, as sometimes imprecisely reported, but a persistence and remote access tool installed afterward. Symantec documented the PowerShell commands used for configuration: the parameter ad.security.interactive_access=2 enables access without local consent, while the binary was registered as an auto-start service with the names 'AnyDeskService' and 'AnyDesk_D', both pointing to the same executable on drive D:.
The defense evasion tool, ironically renamed 'symantec.exe' (SHA-256: b29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8), has the specific task of placing PoisonX into the Windows system driver store, enabling its automatic loading at the next boot. This chain — unidentified initial access, credential harvesting, remote desktop deployment, malicious driver installation, defense disabling, encryption — represents a mature and sequentially rigorous playbook.
"GodDamn's use of the relatively newly discovered PoisonX malicious driver component represents an escalation in defensive evasion capability by this group, indicating that Hyadina is continuing to actively develop its ransomware and its capabilities"
— Symantec Threat Hunter Team
PoisonX Is Not Exclusive: A Shared Component in the RaaS Ecosystem
A detail that complicates attribution: PoisonX has also been detected in the arsenal of The Gentlemen, a ransomware-as-a-service operation, in the tool dubbed GentleKiller. This overlap raises questions unanswered in the Symantec dossier: was PoisonX developed internally by Hyadina and then commercialized, or purchased in a marketplace of specialized components? The source does not specify the relationship between the two groups, nor whether the driver is the product of a shared supply chain of defense evasion tools.
What emerges clearly is the RaaS sector's trend toward modularizing attacks. EDR killers — components dedicated to disabling defenses — are separating from the ransomware payload proper, becoming standalone products that lower the barrier to entry for less skilled affiliates. GodDamn does not require operators capable of developing kernel drivers: they download a ready-to-use one, with a valid signature and documented capabilities.
Why It Matters
The Symantec dossier does not document how PoisonX's developers obtained the Microsoft signature, nor whether the certificate has been revoked. Hypothesized methods in the industry include corporate identity theft or exploitation of third-party certification processes, but these scenarios are not confirmed by the source. The exact number of GodDamn victims remains unknown: only one incident, the one analyzed in the report, is known in detail.
The brief does not specify vendor-indicated corrective measures or direct operational recommendations. It is not documented whether Microsoft has publicly acknowledged the certification process compromise or announced revisions to the WHCP program. The encrypted file extension, which in the analyzed incident uses the victim's name rather than the typical '.God8Damn', is not qualified as an absolute novelty or specific variant: the dossier does not clarify whether this is a stable characteristic of the ransomware or a customization limited to this attack.
The broader technical context, drawn from the Symantec whitepaper on BYOVD, underscores an operational truth: signed drivers are "the most reliable path for the attacker" because Windows loads them automatically, and the most common action is "killing processes belonging to antivirus or EDR products, stripping the machine of its defenses." This mechanism, applied to a driver apparently created to be malicious rather than merely vulnerable, exposes an architectural blind spot that blocklists of known drivers cannot cover.
Reading: Beyond the Blocklist
The evolution from BYOVD to BYOMD — Bring Your Own Malicious Driver — signals a qualitative shift. Defenses based on catalogs of vulnerable drivers, widely adopted in recent years, assume the problem is the vulnerability of legitimate components. When the driver is malicious by design and nonetheless signed, file reputation detection becomes inadequate. The field moves toward behavioral monitoring of driver-kernel interactions, particularly anomalous IOCTLs, as the only technically coherent approach to the documented threat.
For security teams, the GodDamn incident represents a case study on the speed of ransomware rebranding: Monster, Beast, GodDamn, all Hyadina, all with significant code overlap. The continuity of the developer, detected by Symantec through code analysis, indicates that ransomware families do not die but shed their skin, often within months, preserving and refining evasion capabilities.
Information is based on the cited advisory and current as of publication.
Sources
- https://www.infosecurity-magazine.com/news/ransomware-removes-cybersecurity/
- https://cyberpress.org/ransomware-abuses-signed-drivers/
- https://thehackernews.com/2026/07/goddamn-ransomware-uses-poisonx-driver.html
- https://thehackernews.com/2026/03/54-edr-killers-use-byovd-to-exploit-34.html
- https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/
- https://www.security.com/threat-intelligence/goddamn-ransomware-beast-rebrand
- https://www.security.com/threat-intelligence/byovd-vulnerable-drivers
- https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/
- https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/
Information is based on the cited source and current as of publication.