GodDamn ransomware has emerged as a serious threat, marking the third rebrand of a family that has quietly evolved since 2022.
What makes this variant stand out is not just its encryption ability but the malicious kernel driver it uses to blind security tools before an attack begins. This mix of stealth and persistence lets operators move through networks with alarming ease.
The attackers behind GodDamn rely on a familiar playbook of remote access tools, credential theft utilities, and lateral movement techniques, but they added a dangerous layer of defense evasion.
By deploying a signed but malicious driver alongside a fake security tool, they disable endpoint protection at the kernel level, far harder for defenders to catch than typical malware behavior.
This approach has already proven effective in a real intrusion investigated by researchers. Analysts from Symantec identified the connection between GodDamn and its predecessors, tracing a direct lineage back to the Monster ransomware first observed in 2022.
The Threat Hunter Team, part of Symantec and Carbon Black, said in a report shared with Cyber Security News (CSN) that the developer behind these ransomware families, tracked as Hyadina, continues refining its tools with each rebrand.
The impact of this activity has been significant for the organization targeted in the investigated incident, with attackers gaining a foothold on one machine and spreading to at least ten hosts before deploying ransomware.
The four day gap between initial access and encryption suggests the group used this time for reconnaissance, credential harvesting, or data theft.
GodDamn is not an entirely new creation but the latest name applied to a lineage that has adapted repeatedly to survive. Understanding its origins and current techniques helps explain why detecting this threat quickly matters so much for network defenders.
GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver
GodDamn traces its roots to Monster, a ransomware strain written in Delphi that first appeared in March 2022 and targeted 32-bit Windows systems while avoiding machines in the Commonwealth of Independent States.
Hyadina ran Monster as a ransomware-as-a-service operation, working with affiliates using Mimikatz and a range of NirSoft password recovery tools.
In June 2024, the group rebranded as Beast, expanding support to Linux and VMware ESXi systems and improving the encryption process itself.
Beast also introduced multilingual support, including Chinese, showing the operators were widening their pool of victims beyond earlier limitations.
By 2025, Beast attacks incorporated new tools such as the Gmer rootkit scanner for killing processes, Defender Control for disabling Windows Defender, and IObit Unlocker for freeing locked files.
GodDamn continues this pattern, and in some cases renames encrypted files with the extension .God8Damn, though in the investigated case files were instead renamed using the victim organization’s name.
PoisonX driver disables defenses
The most notable addition in this GodDamn attack was the PoisonX kernel driver, first documented earlier in 2026 when it was used to kill the CrowdStrike Falcon service through a crafted command sent to its hidden interface.
Since the driver carries a legitimate Microsoft signature, it appears trustworthy to the operating system despite its malicious purpose.
This is not a typical bring-your-own-vulnerable-driver scenario where attackers exploit a flaw in existing software.
Instead, PoisonX appears built specifically for malicious use and somehow obtained a valid Microsoft signature, letting it terminate security processes and strip protective hooks at the kernel level.
In the investigated attack, the driver was dropped alongside a fake file named symantec.exe, designed to impersonate a trusted security product while quietly disabling Windows Defender’s real-time monitoring.
Attackers then used PsExec to push commands across the network, install AnyDesk on multiple hosts for persistent access, and launch the ransomware binary itself.
Given the sophistication of this toolset, organizations should watch for unauthorized kernel driver installs, restrict tools like AnyDesk to approved configurations, and keep endpoint detection updated against BYOVD style techniques.
Reviewing the Symantec Protection Bulletin for the latest detection signatures is also recommended for teams defending against this threat.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Hash (SHA-256) | 141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944 | PsExec – psexesvc.exe |
| File Hash (SHA-256) | 17fb52476016677db5a93505c4a1c356984bc1f6a4456870f920ac90a7846180 | Netpass – netpass64.exe |
| File Hash (SHA-256) | 19bab15a34d5ad838ccf4d187eb40379c335fa56446d0f9621865b2767d4ac7d | WirelessKeyView – wirelesskeyview64.exe |
| File Hash (SHA-256) | 2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d | PoisonX Driver – g11.sys |
| File Hash (SHA-256) | 31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc | Mimikatz – mimik.exe |
| File Hash (SHA-256) | 35296e7a34688ca3e3159bcdf92b4d60ba4173a2369aca531bb7bc959f68ed9c | CredentialsFileView – credentialsfileview64.exe |
| File Hash (SHA-256) | 45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220 | AnyDesk – anydesk.exe |
| File Hash (SHA-256) | 5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd | MailPassView – mailpv.exe |
| File Hash (SHA-256) | 5c4c98d774eb100f9a89ae4e984c27a4f532e58c7cf8c87046dc87db5a065404 | ChromePass – chromepass.exe |
| File Hash (SHA-256) | 5e85446910e732111ca9ac90f9ed8b1dee13c3314d2c5117dcf672994ce73bd6 | PstPassword – pstpassword.exe |
| File Hash (SHA-256) | 7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26 | MessengerPass – mspass.exe |
| File Hash (SHA-256) | 816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019 | VNCPassView – vncpassview.exe |
| File Hash (SHA-256) | 8e4b218bdbd8e098fff749fe5e5bbf00275d21f398b34216a573224e192094b8 | OperaPassView – operapassview.exe |
| File Hash (SHA-256) | 8ff1c1967841a595d996a649c8134b7a5970dcf94624b237d1b089e7c6266167 | WebBrowserPassView – webbrowserpassview.exe |
| File Hash (SHA-256) | 9fae3f15900e13ec3860a109555ecd33ca43d38907c63438c50a2d6d91bfee1d | Netscan – netscan.exe |
| File Hash (SHA-256) | b29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8 | Defense evasion tool – symantec.exe |
| File Hash (SHA-256) | c92580318be4effdb37aa67145748826f6a9e285bc2426410dc280e61e3c7620 | SniffPass – sniffpass64.exe |
| File Hash (SHA-256) | e097f3b445b63b07afacde8d6a67f0be654dd51e228a3610fb0710a1f7e29a69 | GodDamn ransomware – encrypter-windows-gui-x86.exe |
| File Hash (SHA-256) | ece33e4b7e2d26eeca8ad9db4439f9801a7a77e332611116156738b1b0316046 | ExtPassword – extpassword.exe |
| File Hash (SHA-256) | faca9e856c369b63d6698c74b1d59b062a9a8d9fe84b8f753c299c9961026395 | PasswordFox – passwordfox64.exe |
| IP Address | 15.235.230[.]188 | AnyDesk relay infrastructure contacted during the intrusion |
| IP Address | 185.229.191[.]39 | AnyDesk relay infrastructure contacted during the intrusion |
| IP Address | 141.95.145[.]210 | AnyDesk relay infrastructure contacted during the intrusion |
| IP Address | 162.19.171[.]150 | AnyDesk relay infrastructure contacted during the intrusion |
| IP Address | 192.168.0[.]25 | Internal host accessed via administrative share using stolen credentials |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.

