GodDamn Ransomware Weaponizes Microsoft-Signed PoisonX Driver
Symantec exposes GodDamn ransomware's BYOVD attack using Microsoft-signed PoisonX kernel driver to blind EDR tools. Here's how Hyadina's latest variant works and what defenders should watch for.
A Microsoft-signed kernel driver called PoisonX is giving ransomware operators a clean path past endpoint defenses. Symantec's threat hunters documented the driver in use by GodDamn, the latest rebrand from the Hyadina ransomware-as-a-service operation that's been active since March 2022.
The driver carries a valid Microsoft signature, allowing it to load automatically on Windows systems without triggering the usual kernel-mode code signing warnings. Once loaded, it terminates EDR processes and strips security hooks at the kernel level—rendering most endpoint protection useless before encryption begins.
What is GodDamn Ransomware?
GodDamn is Hyadina's third ransomware product. The group started with Monster, a Delphi-based locker, then moved to Beast in June 2024. GodDamn first appeared on May 21, 2026, and represents their most capable variant yet.
Symantec documented the attack chain from an intrusion detected on June 3, 2026. The operators combined legitimate remote access tools with a comprehensive credential-theft toolkit, lateral movement via PsExec, and the PoisonX driver for defense evasion.
The BYOVD Technique
Bring-your-own-vulnerable-driver attacks have become standard in ransomware operations. We covered similar EDR-bypass techniques when The Gentlemen RaaS deployed their GentleKiller framework earlier this year.
PoisonX differs in a concerning way: it was purpose-built for malicious use. A developer using the handle "oxfemale" published it to GitHub on April 7, 2026, describing it as a "research tool." Within weeks, it appeared in live ransomware attacks carrying a legitimate Microsoft signature.
How the driver obtained that signature remains unclear. Microsoft's WHQL signing process is supposed to prevent exactly this scenario. Security researchers have reached out to Microsoft for comment on the signing chain.
Attack Chain Breakdown
Symantec's analysis revealed the full intrusion sequence:
- Initial access — The entry vector remains unknown in this incident
- Credential harvesting — A NirSoft-based toolkit extracted browser data, Windows Credential Manager contents, VNC sessions, email client credentials, and saved Wi-Fi profiles
- Remote access — AnyDesk deployed with auto-start service configuration
- Lateral movement — PsExec for propagation across the network
- Defense evasion — A user-mode tool disguised as "symantec.exe" paired with the PoisonX kernel driver
- Encryption — File extensions customized to include victim organization names
The fake Symantec tool adds an ironic twist. Defenders seeing symantec.exe in process listings might assume it's legitimate security software rather than the component responsible for installing a malicious driver.
Ransom Demands and Communication
GodDamn ransom notes direct victims to contact attackers through email or qTox, an encrypted messaging client. The use of qTox follows a broader trend in ransomware operations toward encrypted communication channels that complicate law enforcement tracking.
No specific ransom amounts have been disclosed publicly, but Hyadina has historically operated as a RaaS, taking cuts from affiliate payments.
Why This Matters
The PoisonX situation highlights a systemic problem with kernel-mode code signing. Driver signing was supposed to be a security boundary—the assumption that only vetted, legitimate software could run at ring 0. When malicious tools obtain valid signatures, that assumption breaks down.
Security teams should:
- Monitor driver loads — Log and alert on kernel driver installations, especially from unsigned or newly signed publishers
- Audit legitimate tools — AnyDesk and PsExec are dual-use; their presence should trigger investigation
- Implement credential hygiene — The NirSoft toolkit only works when credentials are cached locally
- Review EDR health — If your EDR agent stops unexpectedly, treat it as an intrusion indicator
For readers unfamiliar with ransomware defense fundamentals, our ransomware guide covers the basics of how these attacks work and what organizations should prioritize.
The broader question—how long before Microsoft addresses whatever process allowed PoisonX to be signed—remains unanswered. Until then, defenders are left checking driver signatures that may or may not mean what they used to.
Related Articles
Gentlemen Ransomware Runs Its Own EDR Killer Factory
ESET unmasks GentleKiller, an 8-variant EDR killer framework targeting 400+ security processes. The gang ships updates to affiliates like a software vendor.
Jun 19, 2026Reynolds Ransomware Bundles EDR-Killing Driver Into Payload
New ransomware family Reynolds embeds a vulnerable NsecSoft driver directly into its payload to disable CrowdStrike, Sophos, and other EDR tools before encryption begins.
Feb 12, 2026Osiris Ransomware Uses Custom Driver to Kill Security Tools
New ransomware family employs BYOVD technique with POORTRY driver to disable endpoint protection. Evidence links operators to Inc ransomware campaigns.
Jan 24, 2026CrazyHunter Ransomware Hits Taiwan Healthcare Sector
A new ransomware group has compromised at least six healthcare organizations in Taiwan using BYOVD attacks to disable security software before encryption.
Jan 10, 2026