The malware, named GodDamn, deploys the PoisonX kernel driver to terminate antivirus and endpoint detection and response processes. Kernel-level access gives the driver extensive control over an infected computer, allowing attackers to neutralise defensive software that might otherwise detect or stop the ransomware.
GodDamn was first observed on May 21, 2026, and appears to be the latest version of a ransomware family operating under several names since 2022. Its code substantially overlaps with Beast ransomware, which was itself a rebrand of the Delphi-based Monster ransomware. The developer behind the families is tracked under the name Hyadina.
An intrusion investigated in early June showed the attackers combining remote-access software, credential-stealing tools and defence-evasion components before deploying the ransomware. The operators used AnyDesk to control compromised systems and a toolkit based on utilities produced by NirSoft to collect passwords and other authentication data.
Investigators have not determined how the attackers initially entered the network. The first identified activity occurred on May 29, when an AnyDesk executable appeared in a user’s music directory rather than its usual installation location. The unusual path indicated that the program had probably been placed there to avoid attention.
The attackers later moved through the environment using compromised credentials and remote administration tools. PsExec, a legitimate Microsoft Sysinternals utility frequently used by system administrators, was employed to execute processes across multiple computers. Such tools allow ransomware operators to blend malicious activity with normal administrative traffic.
A user-mode defence-evasion application masquerading as Symantec security software was then installed. The fake executable loaded PoisonX, allowing the attackers to shut down endpoint protections from within the Windows kernel before launching the ransomware payload.
PoisonX presents a particularly serious challenge because it carries a valid Microsoft signature. Windows systems therefore recognise it as trusted software, even though its apparent purpose is to disable security products. Researchers believe its developers succeeded in submitting the malicious driver through Microsoft’s certification process, rather than merely exploiting a vulnerability in an older legitimate driver.
The technique resembles “bring your own vulnerable driver” attacks, in which criminals install a trusted but flawed driver and exploit it to gain elevated privileges. PoisonX differs because evidence suggests it was created for malicious use and then obtained an authorised signature, making it harder for conventional security controls to block.
The driver had already been documented in early 2026 after being used to terminate CrowdStrike Falcon. Attackers could send a specially crafted command to an undocumented interface within PoisonX, instructing it to kill protected processes from kernel mode. The same capability can potentially be directed against other endpoint security platforms.
Once protections were disabled in the June intrusion, the operators distributed GodDamn across about 10 computers. Some versions append the “. God8Damn” extension to encrypted files. During the investigated attack, however, the ransomware replaced file extensions with the victim organisation’s name, an uncommon tactic that may be intended to personalise the attack and increase pressure on the target.
The development reflects a broader shift among ransomware groups towards attacking security controls before encrypting data. Operators increasingly use vulnerable or malicious drivers, stolen certificates and legitimate remote-management applications to undermine monitoring systems and conceal lateral movement.
Signed drivers are attractive because they operate with privileges unavailable to most applications. Once loaded, they can interact directly with memory, processes and hardware. Security tools running at lower privilege levels may be unable to defend themselves when a hostile driver begins terminating their services.
Blocking known PoisonX files and revoking the driver’s certificate can reduce exposure, but defenders must also monitor attempts to install new kernel drivers, unusual AnyDesk locations, unexpected PsExec activity and executables impersonating security products. Driver allowlists and Microsoft’s vulnerable-driver blocklist can provide additional safeguards where they are properly configured.
The attack also demonstrates the risks created by unrestricted remote administration software. AnyDesk is widely used for legitimate technical support, yet unauthorised installations can give attackers persistent access while producing network traffic that appears ordinary. Organisations are being advised to permit only approved remote-access tools and investigate copies launched from user folders or temporary directories.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.