Skip to main content
Emerging ThreatsMalware & Ransomware

GodDamn Ransomware Exploits Signed Driver to Disable Endpoint Defenses

Cluttered office desk with laptop, monitor, and papers, in a large room with fluorescent lighting.
"However, the PoisonX driver seems to be slightly more unusual, in that it appears to be a malicious driver that its developers succeeded in getting signed by Microsoft, and it is now being used by ransomware attackers," the Symantec Threat Hunter Team said in a report shared with The Hacker News.

PoisonX kernel driver (g11.sys) and signed-malicious-driver concern

Security researchers identified PoisonX as a kernel-mode component being deployed in live ransomware operations. In the campaign examined by Symantec, the driver appears on disk as g11.sys and is used to neutralize endpoint defenses. Symantec described PoisonX as “slightly more unusual” because the developers managed to get the driver signed by Microsoft and then used it in active attacks, a factor that complicates automatic Windows defenses that trust digitally signed drivers.

GodDamn ransomware, Hyadina lineage, and early sightings

Symantec's Threat Hunter Team first publicly spotted the GodDamn ransomware family on May 21, 2026. Broadcom's cybersecurity arm traces the developer behind GodDamn and earlier variants under the moniker Hyadina. Broadcom assesses GodDamn to be a rebrand of Beast, which itself was an enhanced evolution of Monster — a Delphi-based ransomware family first observed in March 2022.

In the incidents analyzed, Symantec reported that GodDamn was detected on June 3 on a network segment tied to a separate organizational unit; in that intrusion the malware renamed files using the victim’s name as the extension instead of the “.God8Damn” extension seen in other Hyadina attacks.

Observed attack chain in early June 2026

Symantec documented a multi-stage intrusion in early June that combined remote access tools, credential harvesting, signed drivers and lateral-movement utilities. The threat actors used AnyDesk for remote access and deployed a NirSoft-based credential harvesting toolkit prior to running the encryptor. That harvester was designed to extract sensitive artifacts from common web browsers, Windows Credential Manager, cached domain credentials, VNC sessions, email clients, Wi‑Fi profiles and live network traffic.

The operation also used a user-mode defense-evasion tool masquerading as a Symantec product (file name “symantec.exe”) alongside the PoisonX kernel driver (g11.sys) in a bring-your-own vulnerable driver (BYOVD) attack to impair endpoint protections. PsExec was used to move laterally, and AnyDesk was installed on reachable hosts and registered as an auto-start Windows service so the remote-access capability survived reboots. On some systems the attackers ran a PowerShell script pre-staged on the system drive to perform the AnyDesk installation, suggesting a reusable installer was in place.

According to Symantec, the attackers followed a repeatable sequence: after completing an AnyDesk setup on each host they terminated the running AnyDesk process, waited briefly, and then rebooted the machine. By the end of June 2, that deployment sequence had been repeated across at least 10 hosts within the targeted organization.

CYFIRMA reported that the ransom note left at the end of the intrusion instructed victims to contact the operators either via email or the qTox encrypted messaging app.

Gentlemen RaaS, GentleKiller, and the wider driver problem

PoisonX is not unique to GodDamn: Symantec notes it is one of eight drivers adopted by operators of The Gentlemen ransomware-as-a-service scheme within a custom tool called GentleKiller. Broadcom has emphasized the operational importance of flawed but signed drivers in these attacks. As Broadcom noted, “Vulnerable drivers are the attacker's most reliable route in. The attacker, having gained administrator privileges, can drop a flawed but validly signed driver onto the target machine. Because the driver is signed, Windows loads it automatically.”

Broadcom further outlined the primary outcomes attackers seek after loading such drivers: killing processes belonging to antivirus (AV) or endpoint detection and response (EDR) products, stripping the security agent of rights so it cannot function correctly, or tampering with kernel internal records so that the security product no longer receives notifications and becomes effectively blind.

What this means for technologists, procurement leaders, and defenders

  • Technologists and security teams: will want to pay attention to the specific artifacts Symantec reported — g11.sys, a user-mode tool named symantec.exe, PowerShell-based AnyDesk installers, and the presence of a NirSoft-based credential harvester — because those files and behaviors were observed as part of the GodDamn intrusion chain.
  • Procurement leaders and IT acquisition teams: face renewal of a specific supply-chain risk highlighted by Symantec and Broadcom — signed drivers can be weaponized if attackers manage to get malicious code signed, and Broadcom explicitly ties signed but flawed drivers to attackers' most reliable route to disable endpoint defenses.
  • Defenders and incident responders: should note the operational pattern Symantec documented — PsExec lateral movement, AnyDesk as an autostart service, termination-and-reboot sequences across multiple hosts — as the sequence repeated at least 10 times in the intrusion Symantec traced through June 2 and culminated in ransomware activity detected on June 3.

Symantec and CYFIRMA’s reporting paints a clear throughline: Hyadina-era ransomware families continue to evolve and are now employing a signed malicious driver in the field. Whether that driver will be repurposed by other RaaS operations, as PoisonX already appears alongside GentleKiller, is a live question in the record. For defenders, the specific combination of AnyDesk, PsExec, NirSoft harvesters and a signed kernel driver constitutes the immediate evidence to investigate; for investigators, the fact of a signed malicious driver raises distinct questions about how that signature was obtained and where similar drivers might already be in circulation.

Original reporting at The Hacker News