GodDamn Ransomware Employs PoisonX Driver to Evade Security Measures

Cybersecurity experts have identified a new ransomware variant named GodDamn, which utilizes the PoisonX kernel driver to disable endpoint security defenses, enhancing its ability to evade detection.

First observed in the wild on May 21, 2026, GodDamn is believed to be a rebranded version of the Beast ransomware, itself an evolution of the Monster ransomware that emerged in March 2022. The developer behind these ransomware strains is tracked under the alias Hyadina.

In an attack conducted in early June 2026, the perpetrators employed AnyDesk for remote access and deployed a credential harvesting toolkit based on NirSoft utilities before executing the ransomware. The initial access method remains unidentified. The credential harvester targets sensitive information from web browsers, Windows Credential Manager, cached domain credentials, VNC sessions, email clients, Wi-Fi profiles, and live network traffic.

A notable aspect of this attack is the use of a user-mode defense evasion tool masquerading as a Symantec product (“symantec.exe”) alongside the PoisonX kernel driver (“g11.sys”). This combination is used to disable endpoint defenses through a technique known as bring your own vulnerable driver (BYOVD). The PoisonX driver is particularly concerning because it appears to be a malicious driver that its developers succeeded in getting signed by Microsoft, allowing it to bypass security measures that typically block unsigned drivers.

The PoisonX driver has also been associated with The Gentlemen ransomware-as-a-service (RaaS) operation, which incorporates it into its custom GentleKiller tool. This tool is provided to affiliates to disable system defenses before deploying the ransomware payload.

In the attack sequence, the threat actors utilized PsExec to facilitate lateral movement within the network. They installed AnyDesk on accessible hosts, configuring it as an auto-start Windows service to ensure persistence across system reboots. On certain machines, the AnyDesk setup was managed by a pre-staged PowerShell script, indicating the use of a standardized installer to streamline the deployment process.

After setting up AnyDesk on each host, the attackers terminated the running AnyDesk process, waited briefly, and then rebooted the machines. By the end of June 2, this deployment sequence had been executed across at least ten hosts within the targeted organization.

GodDamn ransomware was first detected on June 3 on a separate network segment associated with a different organization, suggesting a broader campaign targeting multiple entities.

The use of signed drivers like PoisonX in BYOVD attacks underscores the evolving tactics of ransomware operators. By leveraging legitimate but vulnerable drivers, attackers can effectively disable security solutions, making detection and prevention more challenging. Organizations must remain vigilant, ensuring that all drivers are up-to-date and monitoring for unusual activities that may indicate the presence of such sophisticated threats.