Advertisement
Cyber Crime

Ransomware’s Stealthy Ascent: Microsoft-Signed Driver Bypasses Defenses

GodDamn ransomware now exploits PoisonX, a Microsoft-signed kernel driver, to disable endpoint security, marking a critical escalation in evasion tactics.

·3 hours ago·3 min read
red padlock on black computer keyboard
Photo by FlyD on Unsplash
Advertisement

A particularly insidious development has emerged in cybersecurity: the exploitation of legitimate digital signatures to deploy malicious components, turning trusted system mechanisms against their users. This escalation challenges digital trust, as a new ransomware variant, GodDamn, leverages a Microsoft-signed kernel driver to disable critical endpoint security tools, bypassing defenses with a veneer of legitimacy.

GodDamn represents an advanced iteration from a persistent lineage. Symantec's Threat Hunter Team identified it as a rebrand of Beast ransomware, itself an enhanced version of Monster, a Delphi-based ransomware first surfacing in March 2022. The developer behind this family, tracked as Hyadina, shows continuous refinement to evade security. This includes 'bring your own vulnerable driver' (BYOVD) attacks, where attackers introduce a legitimate but flawed driver for kernel-level access—a growing trend for powerful defense subversion.

GodDamn ransomware was first publicly spotted on May 21, 2026. In an early June 2026 attack, Hyadina operators utilized AnyDesk for remote access, followed by a NirSoft-based credential harvesting toolkit extracting sensitive information from web browsers, Windows Credential Manager, cached domain credentials, VNC sessions, email clients, and Wi-Fi profiles. The initial access vector remains unknown. Key to defense evasion was a user-mode tool disguised as "symantec.exe" and the custom-built PoisonX kernel driver ("g11.sys") to disable endpoint defenses. "However, the PoisonX driver seems to be slightly more unusual, in that it appears to be a malicious driver that its developers succeeded in getting signed by Microsoft, and it is now being used by ransomware attackers," the Symantec Threat Hunter Team stated. This highlights a critical vulnerability in the digital certificate ecosystem. PoisonX is one of eight drivers adopted by The Gentlemen ransomware-as-a-service (RaaS) scheme, integrated into their GentleKiller tool. Broadcom elucidated last month: "Vulnerable drivers are the attacker's most reliable route in. The attacker, having gained administrator privileges, can drop a flawed but validly signed driver onto the target machine. Because the driver is signed, Windows loads it automatically." They explained: "The most common action is to kill the processes belonging to antivirus (AV) or endpoint detection and response (EDR) products, stripping the machine of its defenses. Some variants are more subtle. Attackers may strip the security agent of the rights it needs to function correctly, leaving it running but unable to act. Others tamper directly with the kernel's internal records so that the security product no longer receives notifications about what is happening on the machine, effectively making it blind." The attack leveraged PsExec for lateral movement. AnyDesk was set up on each reachable host, configured as an auto-start Windows service for persistence. A PowerShell script sometimes managed the AnyDesk setup. "After completing the AnyDesk setup on each host, the attackers terminated the running AnyDesk process, waited briefly, then rebooted the machine," Symantec reported. "By the end of June 2, this deployment sequence had been repeated across at least 10 hosts within the targeted organization." On June 3, GodDamn ransomware was detected on a separate network segment. Files were renamed with the victim's name as the extension, differing from the ".God8Damn" extension seen in other Hyadina attacks. According to CYFIRMA, the ransom note instructs victims to contact attackers via email or qTox. CYFIRMA concluded, "GodDamn's use of the relatively newly discovered PoisonX malicious driver component represents an escalation in defensive evasion capability by this group, indicating that Hyadina is continuing to actively develop its ransomware and its capabilities."

The ransomware family's precursor, Monster, first appeared in March 2022. GodDamn itself was publicly identified on May 21, 2026. A significant attack leveraging PoisonX was orchestrated in early June 2026. By June 2, the deployment sequence had been replicated across at least 10 hosts. The ransomware was then broadly detected on June 3. PoisonX is one of eight such drivers utilized by The Gentlemen RaaS scheme.

Why it Matters: The emergence of GodDamn ransomware, with its innovative use of a Microsoft-signed malicious kernel driver like PoisonX, signifies a troubling advancement in cybercriminal capabilities. For businesses, this presents a formidable challenge, as traditional endpoint security solutions may struggle against threats masquerading with legitimate digital certificates. This exploitation of digital signatures erodes trust, demanding advanced behavioral detection and memory forensics from security vendors. This underscores the urgent need for layered security architectures, prioritized patch management, and threat intelligence focused on driver vulnerabilities and supply chain integrity. The continuous development by groups like Hyadina means the cybersecurity industry must remain vigilant, constantly adapting to counter these increasingly sophisticated threats.

Reporting based on original coverage from The Hacker News.

#ransomware#malware#endpoint security#byovd#hyadina#cybercrime
← Back to all stories
Advertisement