general · TheHackerNews
Cybersecurity researchers at Symantec have identified a ransomware family called GodDamn that uses a Microsoft-signed kernel driver named PoisonX to disable endpoint defenses. First observed in the wild on May 21, 2026, GodDamn is assessed to be a rebrand of Beast ransomware, itself derived from Monster (a Delphi-based ransomware from March 2022). The threat group, tracked as Hyadina, employed PoisonX in a bring-your-own-vulnerable-driver (BYOVD) attack during an intrusion in early June 2026. The attack chain included credential harvesting via NirSoft tools, lateral movement using PsExec, and persistent remote access through AnyDesk configured as an auto-start service across multiple hosts.
Organizations subject to CMMC, NIST 800-171, and SOC2 requirements should assess their kernel-driver allowlisting and driver-signing validation controls, as PoisonX's Microsoft signature bypasses common detection heuristics. Defense contractors handling CUI and SaaS providers in SOC2 observation should evaluate whether their endpoint detection and response (EDR) tools can detect kernel-level tampering and process-termination tactics. The use of legitimate remote-access tools (AnyDesk) for persistence highlights the need for network segmentation and behavioral monitoring to catch tool abuse. An Omniware engagement can scope your organization's resilience to defense-evasion techniques and BYOVD exploitation.
Source: The Hacker News - https://thehackernews.com/2026/07/goddamn-ransomware-uses-poisonx-driver.html
Source: TheHackerNews
All briefings