A new ransomware variant called “GodDamn” was analyzed by Symantec and Carbon Black researchers, who found that the malware is a rebrand of Beast ransomware that uses a malicious driver called PoisonX to disable endpoint defenses.GodDamn ransomware was first seen in late May 2026, but shows significant overlaps with Beast ransomware and its predecessor Monster ransomware, the Symantec and Carbon Black Threat Hunter Team, part of Broadcom, said in a report Thursday.Monster ransomware first emerged in November 2022 and rebranded to Beast in June 2024, according to the researchers. The developer of these ransomware families is tracked as Hyadina. GodDamn exhibits similarities to its predecessors including the use of AnyDesk, NetScan, Mimikatz and NirSoft password-harvesting tools in its attack chain.The attack observed by Symantec and Carbon Black began on May 29, 2026, with a dwell time of five days before the ransomware was deployed to encrypt files. The initial infection vector could not be determined, with the attacker installing AnyDesk on the first victim machine in the Music folder, suggesting a manual action by an attacker with prior access.A day later, the attacker was observed deploying a binary disguised as Symantec software (symantec.exe), staged in the Music folder of a second machine on the same victim network. This binary dropped PoisonX, a malicious kernel driver signed by “Microsoft Windows Hardware Compatibility Publisher.”The PoisonX driver works similarly to a signed vulnerable driver in bring-your-own-vulnerable-driver (BYOVD) attacks, however, the driver appears to have been developed independently by attackers who managed to obtain a legitimate Microsoft signature. This driver was first documented by Xcitium in April 2026, when it was used in attacks to kill the CrowdStrike Falcon endpoint protection service. After deploying PoisonX for detection evasion, the GodDamn ransomware attacker deployed a comprehensive suite of 14 credentials-harvesting tools comprising Mimikatz and 13 NirSoft tools including WebBrowserPassView, ChromePass, PasswordFox, MessengerPass, VNCPassView, MailPassView, CredentialsFileView and WirelessKeyView.These tools enable the collection of credentials from browsers, Windows Credential Manager, VNC sessions, email clients, Wi-Fi profiles and more, the researchers said. The attacker also deployed NetScan, which could be used to map the victim’s network.The attacker initiated further lateral movement leveraging stolen credentials on day three of the attack, with PsExec used to run commands on remote targets. AnyDesk was deployed on each new target and registered to two autostart Windows services for persistence. By June 2, the attacker had established a foothold on at least 10 hosts on the victim’s network.The GodDamn ransomware binary, encrypter-windows-gui-x86.exe, was first seen on June 3 on a separate network segment associated with another unit at the organization, the researchers said. Encrypted files were appended with a file extension containing the name of the victim organization, although other GodDamn ransomware attacks have used the file extension “.God8Damn” for encrypted files.Threat actors leveraging the Hyadina ransomware families continue to evolve their methods and toolkits, with adoption of the recently-discovered PoisonX driver representing “an escalation in defensive evasion capability,” the Symantec and Carbon Black Threat Hunter Team concluded.Earlier this year, an exposed directory revealed toolkits used by Beast ransomware affiliates, with Team Cyrmu noting that many of its tools are documented in the open-source Ransomware Tool Matrix knowledge base, demonstrating overlaps in common tools used across various ransomware groups.
Ransomware
‘GodDamn’ ransomware deploys PoisonX driver to kill EDR

An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



