Connect with us

Security

PoisonX: The Deadly Weapon of GodDamn Ransomware

Published

on

Cybersecurity Researchers Identify New Ransomware Named GodDamn

A new ransomware family known as GodDamn has been identified by cybersecurity researchers. This ransomware utilizes the PoisonX kernel driver to disable security software as part of its defense evasion tactics.

Recently, the Threat Hunter Team from Symantec published a report revealing that GodDamn was first observed in the wild on May 21, 2026. It is believed to be a modified version of the Beast ransomware, which itself was a more advanced iteration of the Monster ransomware, originally detected in March 2022. The developer behind these ransomware variants, operating under the pseudonym Hyadina, is being tracked by Broadcom’s cybersecurity division.

One specific attack carried out by the GodDamn ransomware group involved the use of AnyDesk for remote access, along with a NirSoft-based credential harvesting toolkit before deploying the ransomware. The initial method of access remains unknown. The credential harvester is designed to extract sensitive data from various sources including web browsers, Windows Credential Manager, cached domain credentials, VNC sessions, email clients, Wi-Fi profiles, and network traffic.

Additionally, the attackers utilized a user-mode defense evasion tool disguised as a Symantec product (“symantec.exe”) and the PoisonX kernel driver (“g11.sys”) to disable endpoint defenses in a bring your own vulnerable driver (BYOVD) attack.

The Symantec Threat Hunter Team noted, “The PoisonX driver appears to be a malicious driver that has been signed by Microsoft, and it is being utilized by ransomware operators.” PoisonX is also employed by The Gentlemen ransomware-as-a-service (RaaS) group in their GentleKiller tool to disable system defenses before initiating encryption.

According to Broadcom, vulnerable drivers are a common entry point for attackers. By gaining administrator privileges, attackers can introduce a flawed but validly signed driver to compromise the target system’s security. This driver is automatically loaded by Windows, allowing attackers to disable antivirus and endpoint detection software, rendering the system defenseless.

See also  Cybersecurity Alert: AI Compute Hijacking, Apple Email Vulnerability, and BlueHammer Ransomware - A Compilation of 14 Stories

PsExec is used by the attackers to move laterally within the network, followed by the installation of AnyDesk on accessible hosts and configuring it as an auto-start Windows service to survive reboots. Some machines had a PowerShell script pre-staged on the system drive to streamline the AnyDesk setup process.

Following the deployment of AnyDesk on multiple hosts within the organization, the attackers terminated the running process, rebooted the machines, and repeated the process across at least 10 hosts by the end of June 2. The GodDamn ransomware was discovered on a separate network segment on June 3, with files being renamed using the victim’s name as the extension.

According to CYFIRMA, the ransom note left by the attackers prompts victims to contact them via email or the qTox encrypted messaging app.

The use of the PoisonX malicious driver component by GodDamn represents an advancement in defensive evasion tactics by Hyadina. This indicates that the ransomware group is actively enhancing its capabilities and developing new strategies to evade detection.

Trending