Dateline: July 10, 2026
Four Days, Ten Machines, Zero Alerts: Inside a GodDamn Intrusion
A driver sat on GitHub since April 7, labeled by its author as a research tool. It carried a valid Microsoft signature. By early June it was inside an American company’s network, quietly killing every security process on ten machines before ransomware finished the job.
Symantec’s Threat Hunter Team published its findings this week. The ransomware is called GodDamn. The driver is called PoisonX. And the story is less about a new malware family than about a signature that never should have existed.
What Happened?
GodDamn is not new code. It is the third name for the same product. Symantec traced significant code overlap back to Beast, which was itself a rebrand of Monster, a Delphi based locker first seen in March 2022. The developer behind all three is tracked as Hyadina, a ransomware as a service operation that mostly hits American organizations across healthcare, manufacturing, and education.
GodDamn first surfaced in the wild on May 21, 2026. Roughly two weeks later, Symantec investigated a live intrusion.
The initial access vector is still unknown. The first signal was an AnyDesk instance running from a user’s Music folder on May 29, configured for unattended access with consent prompts suppressed. A day later, on a second machine, the attackers dropped a binary named symantec.exe. That file impersonated a trusted security product while disabling Windows Defender real time monitoring. It also dropped g11.sys, the PoisonX kernel driver.
PoisonX terminated security processes and stripped user mode API hooks. Endpoint tools kept running. They just stopped seeing anything.
From there the operators pulled credentials with Mimikatz and roughly fourteen NirSoft utilities, harvesting browser passwords, Windows Credential Manager entries, stored domain credentials, VNC sessions, email clients, Wi-Fi profiles, and live network traffic. PsExec carried commands across the environment. By the end of June 2, the same deployment sequence had run on at least ten hosts. The encryptor landed on June 3.
Symantec analyst Brigid O Gorman was blunt about the signature. The driver has no legitimate use, she said, so in retrospect it should not have been signed. Nobody knows how its developers got Microsoft to approve it.
The Impact
Bring your own vulnerable driver attacks normally abuse a legitimate driver with a flaw in it. PoisonX flips that. It was built to kill security software, and it got signed anyway. Windows loads it without complaint because the signature checks out.
Microsoft maintains a Vulnerable Driver Blocklist for exactly this problem. Gorman notes the gap between a driver being identified and the blocklist update reaching enterprise endpoints runs days, often weeks. Attackers move faster than that.
PoisonX was first documented in early 2026 killing the CrowdStrike Falcon service through a crafted IOCTL to an undocumented interface. It is also one of eight drivers bundled into GentleKiller, the defense evasion tool The Gentlemen RaaS hands to its affiliates. This is not one group’s toy anymore.
Note the four day gap between AnyDesk landing and encryption starting. That window was reconnaissance, credential theft, and probably exfiltration. Detection was possible the entire time. Nothing detected it, because the sensors were blind.
GodDamn Ransomware and the PoisonX Kernel Driver
Observed by the Symantec Threat Hunter Team in a June 2026 intrusion attributed to Hyadina.
Threat Actor and Family
- Threat actor: Hyadina
- Ransomware family: GodDamn rebrand of Beast, which rebranded from Monster in 2022
- First seen in the wild: May 21, 2026
Files and Binaries
- g11.sys PoisonX kernel driver, carries a valid Microsoft signature
- symantec.exe user mode defense evasion tool impersonating a Symantec product
- encrypter-windows-gui-x86.exe encryptor, found in user Downloads and Music folders
Encrypted File Extensions
- .God8Damn used in most observed attacks
- Victim organization name used as the extension in the Symantec investigated incident
Remote Access Artifacts
- AnyDesk installed to non standard paths, including a user’s Music folder
- Unattended access enabled with consent prompts suppressed
- Persistent AnyDesk services registered to survive reboots
Lateral Movement
- PsExec, with malicious commands traced through psexesvc.exe, services.exe, and wininit.exe
- Administrative shares mounted using harvested credentials
Credential Harvesting
- Mimikatz
- NirSoft password recovery utilities pulling from browsers, Windows Credential Manager, stored domain credentials, VNC sessions, email clients, Wi-Fi profiles, and live network traffic
Reconnaissance and Ransom Note
- Recon commands: ipconfig, tasklist
- Victims directed to contact operators by email or through the qTox encrypted messaging app
Behavioral and Contextual Markers
- Windows Defender real time monitoring disabled programmatically
- Security processes terminated and user mode API hooks stripped at kernel level
- PoisonX published to GitHub on April 7, 2026 by an account using the handle oxfemale, described there as a research tool
- Roughly four day gap between initial AnyDesk foothold and ransomware deployment
How to Avoid This
Turn on Microsoft’s Vulnerable Driver Blocklist across every Windows endpoint. Then treat it as a floor, not a ceiling.
- Enable Memory Integrity, also called HVCI, to stop unauthorized driver loading.
- Use Windows Defender Application Control to allow only drivers you have approved, instead of blocking the ones someone else has already caught.
- Alert on any new kernel driver installation. A driver appearing on an endpoint outside a patch window is worth a phone call.
- Restrict remote monitoring tools. AnyDesk running from a Music folder is not an edge case, it is a signature.
- Watch for tamper events. When endpoint protection processes die or Defender real time monitoring flips off, that is the incident, not the prelude to one.
- Confirm your EDR self protection modules are current. PoisonX exists specifically to defeat them.
When Your Sensors Go Dark, Who Is Still Watching?
PoisonX did not defeat detection logic. It defeated the thing running the detection logic. That gap between a driver loading and a blocklist catching up is where Hyadina lives.
Secure.com’s Digital Security Teammates cover that gap by watching behavior across the environment, not just the endpoint that just went quiet.
The SOC Teammate flags tamper events and sudden telemetry loss as incidents, not noise.
- Attack path mapping shows where a single foothold reaches next, before PsExec gets there.
- Continuous misconfiguration assessment surfaces endpoints missing HVCI or driver blocklist enforcement.
- Automated case management assembles the AnyDesk anomaly, the credential dump, and the driver load into one case instead of ten unresolved alerts.
- Purple loop automation tests whether your BYOVD detections actually fire before an operator finds out for you.