Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1810+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. GodDamn Ransomware Deploys Microsoft-Signed PoisonX Driver to Kill EDR Tools
GodDamn Ransomware Deploys Microsoft-Signed PoisonX Driver to Kill EDR Tools
NEWS

GodDamn Ransomware Deploys Microsoft-Signed PoisonX Driver to Kill EDR Tools

GodDamn ransomware — a rebrand of Beast/Monster — uses PoisonX, a malicious kernel driver that passed Microsoft's signing process, to terminate 400+ security processes across 48 products before encrypting victim systems.

Dylan H.

News Desk

July 9, 2026
5 min read

Overview

A new ransomware family called GodDamn has been observed in the wild since May 2026, distinguished by a particularly dangerous defense-evasion technique: a malicious kernel driver named PoisonX that successfully passed Microsoft's driver signing process. Because the driver carries a valid Microsoft signature, Windows loads it without challenge on any system where attackers have administrator access — stripping the machine of its endpoint defenses before encryption begins.

GodDamn was assessed by Symantec's Threat Hunter Team as a rebrand of Beast ransomware, which itself evolved from Monster, a Delphi-based ransomware lineage dating to March 2022. The threat actor behind all three generations is tracked as Hyadina.

The PoisonX Driver

Why It's Different from BYOVD

Most ransomware defense-evasion operations use Bring Your Own Vulnerable Driver (BYOVD) attacks — exploiting legitimately signed but vulnerable drivers (such as anti-cheat software or security tools) to gain kernel-level access. PoisonX is categorically different: it is an outright malicious driver that passed Microsoft's own signing process. This means:

  • Windows loads it automatically once dropped to disk by an attacker with admin rights
  • It does not rely on a vulnerable third-party driver to exploit; it is itself signed
  • Standard driver allowlist controls based on known-good vendor drivers do not block it

What PoisonX Does

Once loaded at kernel level, PoisonX executes a process-termination loop that runs every ~2 seconds, scanning for and killing processes belonging to AV and EDR products. Its target list — shared across the GentleKiller framework — covers 400+ processes across 48 security products, including:

Microsoft Defender, CrowdStrike Falcon, SentinelOne, Sophos, Palo Alto Cortex XDR, Trend Micro, ESET, Bitdefender, McAfee/Trellix, Kaspersky, Sangfor, Cybereason, VMware Carbon Black, Elastic Security, Huntress, ThreatLocker, and Sysmon.

Connection to The Gentlemen RaaS

PoisonX is tracked as the "G11" variant within the GentleKiller EDR-killing framework, developed and distributed by The Gentlemen ransomware-as-a-service operation (tracked by Microsoft as Storm-2697). GentleKiller includes eight driver variants in total; the other seven abuse legitimate signed drivers from vendors including Kaspersky, FACEIT Anti-Cheat, Valorant, and Qihoo 360.

PoisonX has also appeared independently in intrusions not directly linked to GodDamn/Hyadina — including one documented use against CrowdStrike Falcon and a Huntress-documented case where it was paired with a second driver (hrwfpdrv.sys) ahead of ransomware deployment.

Attack Chain

A documented intrusion from June 2026 revealed the following sequence:

  1. Initial access — Vector not publicly confirmed for this specific intrusion
  2. Remote access establishment — Attackers installed AnyDesk on target hosts, then terminated it and rebooted the machine — a pattern repeated across at least 10 hosts to establish persistent access while reducing detection surface
  3. Credential harvesting — A NirSoft-based credential harvesting toolkit collected credentials from the compromised systems
  4. Privilege escalation — Administrator-level access obtained (prerequisite for kernel driver loading)
  5. Defense evasion — PoisonX dropped and loaded, killing AV/EDR processes across the environment
  6. Lateral movement — The ransomware enumerated network shares and propagated to accessible hosts
  7. Encryption — Files encrypted and renamed with .God8Damn extension (or a victim-name-based extension in some variants)
  8. Ransom note delivery — README.TXT dropped on compromised systems

Ransomware Lineage

GenerationNameFirst SeenLanguage
1stMonsterMarch 2022Delphi
2ndBeast2023–2025Delphi
3rdGodDamnMay 21, 2026Delphi

Indicators of Compromise

CategoryIndicator
File extension.God8Damn (or victim-name-based)
Ransom noteREADME.TXT
Remote access toolAnyDesk (deployed then terminated)
Credential toolNirSoft-based toolkit
Malicious driverPoisonX (Microsoft-signed kernel driver)
Paired driver (other campaigns)hrwfpdrv.sys
C2 contactEmail + qTox encrypted messaging
First observedMay 21, 2026
RaaS affiliationThe Gentlemen / GentleKiller G11

Ransom Negotiation

GodDamn's ransom note directs victims to contact operators via email or qTox (a peer-to-peer encrypted messaging platform), with a discounted decryption price offered to victims who make contact quickly — a standard urgency tactic designed to prevent organizations from fully assessing their recovery options before engaging attackers.

Defensive Recommendations

  1. Enforce Microsoft's Vulnerable Driver Blocklist — while PoisonX passed signing, keeping the blocklist current limits the broader BYOVD attack surface used by related campaigns

  2. Monitor kernel driver load events — alert on any kernel driver not in your organization's pre-approved inventory, regardless of signature status

  3. Enable EDR tamper protection — products with kernel-level self-protection can survive termination attempts by drivers like PoisonX; verify tamper protection is active and tested

  4. Flag AnyDesk in non-standard contexts — AnyDesk has legitimate uses, but deployments on servers or outside approved change windows warrant immediate investigation

  5. Block NirSoft tools — NirSoft credential tools have no legitimate use on managed servers; their presence signals credential theft activity

  6. Alert on mass file renaming — detect bulk .God8Damn extension changes early enough to halt encryption before it completes

  7. Restrict admin privileges — PoisonX requires administrator rights to load; limiting who holds local admin rights reduces the attack surface

The Broader Trend

GodDamn is not an isolated incident. The GentleKiller framework's eight driver variants are actively shared across multiple ransomware operations, establishing a supply chain for EDR evasion that any RaaS affiliate can access. The successful signing of PoisonX as a genuinely malicious driver — rather than a repurposed vulnerable legitimate driver — represents an escalation in attacker capability that demands a response from Microsoft's driver signing review process.

References

  • The Hacker News — GodDamn Ransomware
  • The Hacker News — GentleKiller Framework
  • ESET WeLiveSecurity — Inside GentleKiller
  • Security Affairs — GentleKiller Analysis
#Ransomware#EDR#Kernel Driver#GodDamn#PoisonX#Malware#Defense Evasion

Related Articles

Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware

This week's threat roundup covers residential proxy botnets hiding in streaming boxes, browser-based ransomware campaigns, AI agent abuse techniques, and malicious fake proof-of-concept exploits targeting security researchers.

6 min read

New Avalon Malware Framework Packs CrownX Ransomware Capabilities

Blackpoint Cyber researchers have uncovered Avalon, an AI-assisted modular malware framework that chains phishing, credential theft, lateral movement, and...

5 min read

AI-Generated Browser Ransomware Abuses Chromium API on Windows, Linux, macOS, Android

Researchers have uncovered a novel malware artifact generated using DeepSeek that weaponizes the Chromium File System Access API to encrypt files entirely...

7 min read
Back to all News