BigTech CompaniesCybersecurityNewswireTechnologyWhat's Buzzing

New Ransomware Uses Malicious Driver to Disable Security Tools

Originally published on: July 11, 2026
▼ Summary

– GodDamn ransomware, first seen in May 2026, is the latest version of the Hyadina family, which includes Beast and Monster ransomware from 2022.
– Attackers used AnyDesk hidden in a ‘Music’ folder to make outbound connections, though the initial access method is unknown.
– A malicious kernel driver, PoisonX, signed with a legitimate Microsoft Windows Hardware Compatibility Publisher signature, was used to terminate security processes.
– With defenses lowered, attackers deployed tools like NirSoft and Mimikatz to steal credentials and gain control over the machine and network.
– The use of the PoisonX driver marks an escalation in evasion tactics, showing Hyadina’s ongoing development of ransomware capabilities.

A newly surfaced variant of a ransomware strain that has plagued organizations since 2022 is now leveraging a Microsoft-signed malicious driver to neutralize endpoint security tools, making detection and disruption far more difficult.

Security researchers at Symantec identified the threat, named GodDamn ransomware, which first emerged in May 2026. Code analysis reveals it is the latest evolution of Beast ransomware, itself a rebrand of Monster ransomware, first observed in 2022. All three belong to a broader ransomware family tracked as Hyadina.

According to a July 9 blog post from Symantec, attackers were observed using AnyDesk, a legitimate remote desktop application, concealed on the compromised endpoint within a folder labeled ‘Music’. From there, the tool made outbound connections to unknown IP addresses. Researchers noted that while the exact method of initial access remains unclear, account compromise is a frequent entry vector for ransomware campaigns.

Once inside, the attackers deployed an executable disguised as a Symantec product to install PoisonX, a malicious kernel driver carrying a legitimate Microsoft Windows Hardware Compatibility Publisher signature. This driver is loaded into the system driver store and subsequently used to terminate security product processes, effectively dismantling the endpoint’s defenses.

How the attackers obtained the valid Microsoft signature is still unknown. Common tactics include using stolen corporate identities to sign the driver or secretly exploiting legitimate third-party drivers.

With security tools disabled, the attackers introduced credential-stealing utilities such as NirSoft and Mimikatz. These tools harvest passwords, cookies, live network traffic, and other sensitive data, all aimed at escalating control over the machine and the broader network, including administrator accounts.

Only after achieving sufficient control did the attackers trigger the GodDamn ransomware, encrypting files and displaying a ransom note.

Researchers emphasize that GodDamn represents a significant escalation in defensive evasion capabilities for the Hyadina group. “GodDamn’s use of the relatively newly discovered PoisonX malicious driver component represents an escalation in defensive evasion capability by this group, indicating that Hyadina is continuing to actively develop its ransomware and its capabilities,” the Symantec and Carbon Black threat hunter team stated.

(Source: Infosecurity Magazine)

Topics

goddamn ransomware 98% signed driver exploit 95% poisonx malicious driver 93% hyadina ransomware family 92% defense evasion 91% microsoft signature abuse 90% credential theft tools 89% ransomware evolution 88% initial access vector 87% ransomware attack chain 86%