GBHackers

GodDamn Ransomware Attack Uses PsExec Lateral Movement and NirSoft Toolkit for Credential Theft


A targeted GodDamn ransomware incident shows the payload is not entirely new but the latest rebrand of a long-running family.

Analysis reveals strong code overlap with Beast (the 2024 rebrand of Monster), and the operational playbook mirrors earlier Hyadina campaigns.

Stealthy foothold, credential harvesting using NirSoft utilities, kernel-level defense subversion, remote-access tooling, and PsExec-driven lateral movement before encryption.

The intrusion observed in late May and early June 2026 began with AnyDesk running from an anomalous location under a user’s Music folder, suggesting manual deployment by an operator with prior access.

The AnyDesk client reached several relay IPs and was configured for unattended access operators suppressed consent prompts and registered persistent services to ensure survivability across reboots.

This technique allowed persistent, interactive control while minimizing noisy remote-access behaviors that could trigger alerts.

Credential collection was systematic and comprehensive: investigators found a staged toolkit under a user profile containing Mimikatz alongside fourteen NirSoft utilities WebBrowserPassView, ChromePass, PasswordFox, MailPassView, VNCPassView, WirelessKeyView and others plus Netscan for host discovery.

This suite covers browsers, Windows Credential Manager, cached domain credentials, VNC and email clients, Wi‑Fi profiles, and live traffic capture, enabling rapid credential harvesting and lateral pivoting using stolen account material.

The Symantec Threat Hunter Team tracks the developer behind these ransomware families as Hyadina. Monster was first documented in 2022, and detailed indicators from that time help link this activity to the same developer cluster.

Lateral movement used PsExec. All malicious commands during propagation traced through psexesvc.exe, services.exe and wininit.exe, confirming a PsExec-based distribution model.

GodDamn Ransomware Attack

Attackers performed basic reconnaissance with ipconfig and tasklist, mounted administrative shares with harvested credentials, and installed AnyDesk access on reached hosts to build a resilient remote-access fabric.

Anatomy of a GodDamn Ransomware Attack (Source : Symantec).

Scripts and a reusable PowerShell installer accelerated deployment across at least ten hosts in the observed environment.

A notable and dangerous feature of this campaign was kernel-level defense evasion. The operators deployed a file impersonating a Symantec binary that dropped a signed kernel driver, PoisonX, into the system driver store.

PoisonX carries a legitimate-looking signature attributed to “Microsoft Windows Hardware Compatibility Publisher” and can terminate security processes and remove user-mode hooks.

While BYOVD (bring-your-own-vulnerable-driver) attacks typically misuse legitimate vulnerable drivers, PoisonX appears to be a malicious driver that obtained signing, giving attackers an unusually powerful capability to blind endpoint defenses.

PoisonX had been previously documented in early 2026 for similar CrowdStrike-killing behavior.

After staging credentials and disabling defenses (including programmatic disabling of Defender real‑time monitoring), operators allowed a dwell period before deploying encryption.

GodDamn samples appeared in user profile directories and, in many cases, encrypted files received a .God8Damn extension; in the Symantec-investigated incident, the operators instead used the victim organization’s name as an extension an atypical marker that may assist attribution in future cases.

The timeline and toolset align with Hyadina’s historical modus operandi: Monster in 2022, Beast in 2024, persistent use of NirSoft credential tools, AnyDesk for remote access, and rebrands that refine encryption and targeting.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide



Source link