Particle.news
Download on the App Store

GodDamn Ransomware Uses Microsoft-Signed PoisonX Driver to Blind Endpoint Defenses

Researchers say the signed PoisonX kernel driver gives attackers low-level control to stop or blind security software, a change that raises the stakes for enterprise defenders.

Overview

  • Symantec and other researchers say GodDamn first emerged in May 2026 and is the latest rebrand from the Hyadina developer lineage that produced Monster and Beast.
  • In a May–June intrusion investigators traced the attack chain from AnyDesk remote access to a NirSoft credential toolkit, lateral movement with PsExec, and a user-mode dropper named "symantec.exe" that installed the driver as g11.sys.
  • PoisonX carries a valid Microsoft signature so Windows loads it automatically, and when run at kernel level the driver can terminate security processes, remove permissions, or stop security products from receiving kernel events.
  • The observed campaign staged defenses, configured unattended AnyDesk services across hosts, and deployed encryption by June 3 with the sequence repeated on at least 10 machines and a ransom note directing victims to email or qTox.
  • PoisonX was seen in early 2026 disabling products such as CrowdStrike Falcon and has been adopted by other ransomware operators, creating wider BYOVD risks that make detection and response harder for defenders.