Skip to main content
Emerging ThreatsMalware & Ransomware

Ransomware Evolves, Exploits Microsoft Driver to Evade Defenses

Laptop in office setting with blank screen, subtle signs of disruption nearby.

“GodDamn's use of the relatively newly discovered PoisonX malicious driver component represents an escalation in defensive evasion capability by this group, indicating that Hyadina is continuing to actively develop its ransomware and its capabilities,” said the Symantec and Carbon Black threat hunter team.

GodDamn ransomware and the Hyadina lineage

Symantec researchers reported that GodDamn first appeared in May 2026 and is the latest incarnation of a ransomware family that has been active since 2022. Analysis shows GodDamn is an iteration of Beast ransomware, which itself is a rebrand of Monster ransomware first seen in 2022. All three forms are grouped under a family Symantec calls Hyadina.

PoisonX malicious driver and a Microsoft signature

According to Symantec's July 9 blog post, attackers used an executable disguised as a Symantec product to drop PoisonX, a malicious kernel driver, into the system driver store. PoisonX carries a legitimate Microsoft Windows Hardware Compatibility Publisher signature and is used to terminate security product processes, further lowering the defenses of the system. Symantec's researchers note it is not known how the signature was attained; common methods mentioned include using stolen corporate identities to sign the driver, or attackers secretly exploiting legitimate third‑party drivers.

Attack chain: AnyDesk, credential theft tools, and final encryption

Symantec observed the intruders leveraging AnyDesk, a remote desktop application, which was hidden on the affected endpoint in a folder named “Music” and made outbound connections to unknown IP addresses. How the attackers gained initial access to the machine is unknown in the Symantec writeup, though the blog notes that “account compromise is a common starting point for ransomware attacks.”

With PoisonX removing or disrupting security product processes, the attackers installed tools including NirSoft and Mimikatz to steal credentials, cookies and live network traffic. Those tools were used with the stated aim of finding means to gain further control over the machine and the wider network, including administrator accounts. When the group determined it had sufficient control of accounts and systems, Symantec reports, the attackers triggered GodDamn ransomware, encrypting files and displaying a ransom note.

What this means for security teams, enterprise IT, and procurement

  • Security teams: Will have to watch for evidence that kernel drivers carrying legitimate Microsoft Windows Hardware Compatibility Publisher signatures are being introduced to the system driver store and used to terminate security product processes, as Symantec documented with PoisonX.
  • Enterprise IT: Should be aware that remote access software was observed hidden in a folder named “Music” and making outbound connections to unknown IPs, and that post‑compromise tools like NirSoft and Mimikatz were used to harvest credentials and escalate privileges.
  • Procurement and third‑party vetting: Face the question, raised by Symantec’s reporting, of how driver signatures were obtained; the report cites common methods such as using stolen corporate identities to sign drivers or abusing legitimate third‑party drivers.

Symantec and Carbon Black's assessment and the unresolved signature question

Symantec and Carbon Black characterize GodDamn and its PoisonX component as an escalation in defensive evasion capability and as evidence that the Hyadina family is actively developing its ransomware and capabilities. The most concrete unresolved fact in their analysis is how PoisonX came to carry a legitimate Microsoft Windows Hardware Compatibility Publisher signature — a detail Symantec does not confirm and for which the post lists plausible common methods but offers no definitive attribution.

The combination of a Microsoft‑signed kernel driver, hidden remote access tooling, credential‑stealing utilities, and a final encryption event is the chain Symantec documented. How PoisonX’s signature was acquired remains central to understanding whether this is a supply‑chain compromise, identity theft used to sign malware, or an exploitation of legitimate third‑party drivers — and that question, Symantec’s posting shows, is the immediate point defenders and investigators will need to answer.

https://www.infosecurity-magazine.com/news/ransomware-removes-cybersecurity/