All incidents

GodDamn ransomware leverages signed PoisonX driver to disable defenses

malwareopenJul 9, 2026 — Jul 9, 2026
PoisonX signed driver fuels new GodDamn ransomware by Hyadina

SECURITYAFFAIRS reported that a new ransomware family dubbed GodDamn has been observed in the wild, leveraging a signed kernel driver named PoisonX to neutralise security software on compromised hosts. The campaign, first detected on 9 July 2026, is attributed to the ransomware‑as‑a‑service group Hyadina, which previously operated under the Monster and Beast banners.

DarkReading noted that the PoisonX driver carries a valid Microsoft signature, which allows it to load as a trusted kernel module and issue commands that terminate antivirus processes and disable real‑time protection. Because the driver appears legitimate, many endpoint defences do not block its execution, giving the ransomware unrestricted access to the system kernel. No CVE identifier has been assigned to the driver, but its abuse relies on the time lag between a driver’s public release and its inclusion in Microsoft’s blocklist.

Infections typically begin with the abuse of legitimate remote‑desktop tools such as AnyDesk, which threat actors use to gain initial footholds inside corporate networks. Once inside, the group deploys credential‑dumping utilities to harvest administrative passwords, facilitating lateral movement and the deployment of the GodDamn payload across multiple endpoints. The ransomware then encrypts files and leaves a ransom note demanding payment in cryptocurrency.

Security researchers have observed active exploitation of GodDamn against targets in the healthcare and education sectors in the United States, reflecting Hyadina’s focus on industries that are often willing to pay to restore critical services. The group operates a ransomware‑as‑a‑service model, providing affiliates with the PoisonX driver and the ransomware builder in exchange for a share of the proceeds. This approach has allowed the threat to scale rapidly since its emergence earlier this year.

Defenders should enforce strict driver signing policies that only allow Microsoft‑signed or organisation‑approved kernels to load, and regularly audit installed drivers for any that appear unsigned or anomalous. It is also advisable to restrict the use of remote‑desktop applications like AnyDesk to authorised users and to monitor for anomalous process termination attempts that could indicate driver‑based attacks.

Additionally, enabling kernel‑mode protection features such as Hypervisor‑protected Code Integrity (HVCI) can help block malicious drivers from executing, while maintaining up‑to‑date threat intelligence on known abusive drivers allows security teams to update blocklists promptly. Network segmentation and least‑privilege access models further limit the ransomware’s ability to move laterally once a foothold is achieved.

Intelligence briefing updated Jul 9, 2026

Hyadina
Timeline Coverage

Swipe to explore timeline