GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver to Disable Defenses

GodDamn ransomware has emerged as a serious threat, marking the third rebrand of a family that has quietly evolved since 2022.

What makes this variant stand out is not just its encryption ability but the malicious kernel driver it uses to blind security tools before an attack begins. This mix of stealth and persistence lets operators move through networks with alarming ease.

The attackers behind GodDamn rely on a familiar playbook of remote access tools, credential theft utilities, and lateral movement techniques, but they added a dangerous layer of defense evasion.

By deploying a signed but malicious driver alongside a fake security tool, they disable endpoint protection at the kernel level, far harder for defenders to catch than typical malware behavior.

This approach has already proven effective in a real intrusion investigated by researchers. Analysts from Symantec identified the connection between GodDamn and its predecessors, tracing a direct lineage back to the Monster ransomware first observed in 2022.

The Threat Hunter Team, part of Symantec and Carbon Black, said in a report shared with Cyber Security News (CSN) that the developer behind these ransomware families, tracked as Hyadina, continues refining its tools with each rebrand.

The impact of this activity has been significant for the organization targeted in the investigated incident, with attackers gaining a foothold on one machine and spreading to at least ten hosts before deploying ransomware.

The four day gap between initial access and encryption suggests the group used this time for reconnaissance, credential harvesting, or data theft.

GodDamn is not an entirely new creation but the latest name applied to a lineage that has adapted repeatedly to survive. Understanding its origins and current techniques helps explain why detecting this threat quickly matters so much for network defenders.

GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver

GodDamn traces its roots to Monster, a ransomware strain written in Delphi that first appeared in March 2022 and targeted 32-bit Windows systems while avoiding machines in the Commonwealth of Independent States.

Hyadina ran Monster as a ransomware-as-a-service operation, working with affiliates using Mimikatz and a range of NirSoft password recovery tools.

In June 2024, the group rebranded as Beast, expanding support to Linux and VMware ESXi systems and improving the encryption process itself.

Beast also introduced multilingual support, including Chinese, showing the operators were widening their pool of victims beyond earlier limitations.

By 2025, Beast attacks incorporated new tools such as the Gmer rootkit scanner for killing processes, Defender Control for disabling Windows Defender, and IObit Unlocker for freeing locked files.

GodDamn continues this pattern, and in some cases renames encrypted files with the extension .God8Damn, though in the investigated case files were instead renamed using the victim organization’s name.

PoisonX driver disables defenses

The most notable addition in this GodDamn attack was the PoisonX kernel driver, first documented earlier in 2026 when it was used to kill the CrowdStrike Falcon service through a crafted command sent to its hidden interface.

Since the driver carries a legitimate Microsoft signature, it appears trustworthy to the operating system despite its malicious purpose.

This is not a typical bring-your-own-vulnerable-driver scenario where attackers exploit a flaw in existing software.

Instead, PoisonX appears built specifically for malicious use and somehow obtained a valid Microsoft signature, letting it terminate security processes and strip protective hooks at the kernel level.

In the investigated attack, the driver was dropped alongside a fake file named symantec.exe, designed to impersonate a trusted security product while quietly disabling Windows Defender’s real-time monitoring.

Attackers then used PsExec to push commands across the network, install AnyDesk on multiple hosts for persistent access, and launch the ransomware binary itself.

Given the sophistication of this toolset, organizations should watch for unauthorized kernel driver installs, restrict tools like AnyDesk to approved configurations, and keep endpoint detection updated against BYOVD style techniques.

Reviewing the Symantec Protection Bulletin for the latest detection signatures is also recommended for teams defending against this threat.

Indicators of Compromise (IoCs):-

Type Indicator Description
File Hash (SHA-256) 141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944 PsExec – psexesvc.exe 
File Hash (SHA-256) 17fb52476016677db5a93505c4a1c356984bc1f6a4456870f920ac90a7846180 Netpass – netpass64.exe 
File Hash (SHA-256) 19bab15a34d5ad838ccf4d187eb40379c335fa56446d0f9621865b2767d4ac7d WirelessKeyView – wirelesskeyview64.exe 
File Hash (SHA-256) 2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d PoisonX Driver – g11.sys 
File Hash (SHA-256) 31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc Mimikatz – mimik.exe 
File Hash (SHA-256) 35296e7a34688ca3e3159bcdf92b4d60ba4173a2369aca531bb7bc959f68ed9c CredentialsFileView – credentialsfileview64.exe 
File Hash (SHA-256) 45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220 AnyDesk – anydesk.exe 
File Hash (SHA-256) 5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd MailPassView – mailpv.exe 
File Hash (SHA-256) 5c4c98d774eb100f9a89ae4e984c27a4f532e58c7cf8c87046dc87db5a065404 ChromePass – chromepass.exe 
File Hash (SHA-256) 5e85446910e732111ca9ac90f9ed8b1dee13c3314d2c5117dcf672994ce73bd6 PstPassword – pstpassword.exe 
File Hash (SHA-256) 7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26 MessengerPass – mspass.exe 
File Hash (SHA-256) 816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019 VNCPassView – vncpassview.exe 
File Hash (SHA-256) 8e4b218bdbd8e098fff749fe5e5bbf00275d21f398b34216a573224e192094b8 OperaPassView – operapassview.exe 
File Hash (SHA-256) 8ff1c1967841a595d996a649c8134b7a5970dcf94624b237d1b089e7c6266167 WebBrowserPassView – webbrowserpassview.exe 
File Hash (SHA-256) 9fae3f15900e13ec3860a109555ecd33ca43d38907c63438c50a2d6d91bfee1d Netscan – netscan.exe 
File Hash (SHA-256) b29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8 Defense evasion tool – symantec.exe 
File Hash (SHA-256) c92580318be4effdb37aa67145748826f6a9e285bc2426410dc280e61e3c7620 SniffPass – sniffpass64.exe 
File Hash (SHA-256) e097f3b445b63b07afacde8d6a67f0be654dd51e228a3610fb0710a1f7e29a69 GodDamn ransomware – encrypter-windows-gui-x86.exe 
File Hash (SHA-256) ece33e4b7e2d26eeca8ad9db4439f9801a7a77e332611116156738b1b0316046 ExtPassword – extpassword.exe 
File Hash (SHA-256) faca9e856c369b63d6698c74b1d59b062a9a8d9fe84b8f753c299c9961026395 PasswordFox – passwordfox64.exe 
IP Address 15.235.230[.]188 AnyDesk relay infrastructure contacted during the intrusion 
IP Address 185.229.191[.]39 AnyDesk relay infrastructure contacted during the intrusion 
IP Address 141.95.145[.]210 AnyDesk relay infrastructure contacted during the intrusion 
IP Address 162.19.171[.]150 AnyDesk relay infrastructure contacted during the intrusion 
IP Address 192.168.0[.]25 Internal host accessed via administrative share using stolen credentials 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.

The post GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver to Disable Defenses appeared first on Cyber Security News.