Overview
A new ransomware family called GodDamn has been observed in the wild since May 2026, distinguished by a particularly dangerous defense-evasion technique: a malicious kernel driver named PoisonX that successfully passed Microsoft's driver signing process. Because the driver carries a valid Microsoft signature, Windows loads it without challenge on any system where attackers have administrator access — stripping the machine of its endpoint defenses before encryption begins.
GodDamn was assessed by Symantec's Threat Hunter Team as a rebrand of Beast ransomware, which itself evolved from Monster, a Delphi-based ransomware lineage dating to March 2022. The threat actor behind all three generations is tracked as Hyadina.
The PoisonX Driver
Why It's Different from BYOVD
Most ransomware defense-evasion operations use Bring Your Own Vulnerable Driver (BYOVD) attacks — exploiting legitimately signed but vulnerable drivers (such as anti-cheat software or security tools) to gain kernel-level access. PoisonX is categorically different: it is an outright malicious driver that passed Microsoft's own signing process. This means:
- Windows loads it automatically once dropped to disk by an attacker with admin rights
- It does not rely on a vulnerable third-party driver to exploit; it is itself signed
- Standard driver allowlist controls based on known-good vendor drivers do not block it
What PoisonX Does
Once loaded at kernel level, PoisonX executes a process-termination loop that runs every ~2 seconds, scanning for and killing processes belonging to AV and EDR products. Its target list — shared across the GentleKiller framework — covers 400+ processes across 48 security products, including:
Microsoft Defender, CrowdStrike Falcon, SentinelOne, Sophos, Palo Alto Cortex XDR, Trend Micro, ESET, Bitdefender, McAfee/Trellix, Kaspersky, Sangfor, Cybereason, VMware Carbon Black, Elastic Security, Huntress, ThreatLocker, and Sysmon.
Connection to The Gentlemen RaaS
PoisonX is tracked as the "G11" variant within the GentleKiller EDR-killing framework, developed and distributed by The Gentlemen ransomware-as-a-service operation (tracked by Microsoft as Storm-2697). GentleKiller includes eight driver variants in total; the other seven abuse legitimate signed drivers from vendors including Kaspersky, FACEIT Anti-Cheat, Valorant, and Qihoo 360.
PoisonX has also appeared independently in intrusions not directly linked to GodDamn/Hyadina — including one documented use against CrowdStrike Falcon and a Huntress-documented case where it was paired with a second driver (hrwfpdrv.sys) ahead of ransomware deployment.
Attack Chain
A documented intrusion from June 2026 revealed the following sequence:
- Initial access — Vector not publicly confirmed for this specific intrusion
- Remote access establishment — Attackers installed AnyDesk on target hosts, then terminated it and rebooted the machine — a pattern repeated across at least 10 hosts to establish persistent access while reducing detection surface
- Credential harvesting — A NirSoft-based credential harvesting toolkit collected credentials from the compromised systems
- Privilege escalation — Administrator-level access obtained (prerequisite for kernel driver loading)
- Defense evasion — PoisonX dropped and loaded, killing AV/EDR processes across the environment
- Lateral movement — The ransomware enumerated network shares and propagated to accessible hosts
- Encryption — Files encrypted and renamed with
.God8Damnextension (or a victim-name-based extension in some variants) - Ransom note delivery —
README.TXTdropped on compromised systems
Ransomware Lineage
| Generation | Name | First Seen | Language |
|---|---|---|---|
| 1st | Monster | March 2022 | Delphi |
| 2nd | Beast | 2023–2025 | Delphi |
| 3rd | GodDamn | May 21, 2026 | Delphi |
Indicators of Compromise
| Category | Indicator |
|---|---|
| File extension | .God8Damn (or victim-name-based) |
| Ransom note | README.TXT |
| Remote access tool | AnyDesk (deployed then terminated) |
| Credential tool | NirSoft-based toolkit |
| Malicious driver | PoisonX (Microsoft-signed kernel driver) |
| Paired driver (other campaigns) | hrwfpdrv.sys |
| C2 contact | Email + qTox encrypted messaging |
| First observed | May 21, 2026 |
| RaaS affiliation | The Gentlemen / GentleKiller G11 |
Ransom Negotiation
GodDamn's ransom note directs victims to contact operators via email or qTox (a peer-to-peer encrypted messaging platform), with a discounted decryption price offered to victims who make contact quickly — a standard urgency tactic designed to prevent organizations from fully assessing their recovery options before engaging attackers.
Defensive Recommendations
-
Enforce Microsoft's Vulnerable Driver Blocklist — while PoisonX passed signing, keeping the blocklist current limits the broader BYOVD attack surface used by related campaigns
-
Monitor kernel driver load events — alert on any kernel driver not in your organization's pre-approved inventory, regardless of signature status
-
Enable EDR tamper protection — products with kernel-level self-protection can survive termination attempts by drivers like PoisonX; verify tamper protection is active and tested
-
Flag AnyDesk in non-standard contexts — AnyDesk has legitimate uses, but deployments on servers or outside approved change windows warrant immediate investigation
-
Block NirSoft tools — NirSoft credential tools have no legitimate use on managed servers; their presence signals credential theft activity
-
Alert on mass file renaming — detect bulk
.God8Damnextension changes early enough to halt encryption before it completes -
Restrict admin privileges — PoisonX requires administrator rights to load; limiting who holds local admin rights reduces the attack surface
The Broader Trend
GodDamn is not an isolated incident. The GentleKiller framework's eight driver variants are actively shared across multiple ransomware operations, establishing a supply chain for EDR evasion that any RaaS affiliate can access. The successful signing of PoisonX as a genuinely malicious driver — rather than a repurposed vulnerable legitimate driver — represents an escalation in attacker capability that demands a response from Microsoft's driver signing review process.