New GodDamn Ransomware Uses Malicious Driver to Disable Security Software

New GodDamn Ransomware Uses Malicious Driver to Disable Security Software

A newly identified version of the GodDamn ransomware is using advanced techniques to disable cybersecurity protections before launching its attacks, according to cybersecurity researchers.

The latest variant, analyzed by researchers at Symantec, employs a Microsoft-signed malicious driver to terminate security software running on infected systems, allowing attackers to operate with reduced risk of detection.

Researchers say the malware represents the newest evolution of a ransomware family that has been active since 2022 and demonstrates how cybercriminals continue to develop more sophisticated methods to evade security defenses.

Evolution of the Hyadina Ransomware Family

According to Symantec, GodDamn ransomware first appeared in May 2026.

Analysis of its code revealed that it is the latest version of Beast ransomware, which itself was a rebranded version of Monster ransomware first identified in 2022.

Security researchers collectively refer to these related ransomware strains as the Hyadina ransomware family.

The continued development of the malware suggests the operators remain active and are regularly updating their attack techniques.

Attack Begins with Remote Access

Researchers observed attackers using AnyDesk, a legitimate remote desktop application, to establish remote access to targeted systems.

To avoid detection, the software was reportedly hidden inside a folder named “Music” on compromised computers and connected to unknown internet addresses.

Although investigators have not confirmed how attackers initially gained access to affected machines, Symantec noted that compromised user accounts remain one of the most common entry points for ransomware attacks.

Microsoft-Signed Driver Used to Disable Security Tools

One of the most concerning aspects of the new attack is the use of a malicious kernel driver known as PoisonX.

Attackers disguised an executable file as a Symantec security product before installing the PoisonX driver onto the victim’s computer.

The driver reportedly carries a legitimate Microsoft Windows Hardware Compatibility Publisher digital signature, allowing it to appear trustworthy to the operating system.

Once installed, PoisonX terminates security software processes, effectively disabling endpoint protection and making it easier for attackers to continue operating without interruption.

Researchers said they do not yet know how the attackers obtained the trusted Microsoft signature.

Possible methods include using stolen corporate certificates or abusing legitimate third-party drivers to bypass security checks.

Credential Theft Before Encryption

After disabling security defenses, attackers deployed additional hacking tools to collect sensitive information from compromised systems.

Among the tools identified were Mimikatz and NirSoft, both commonly used by threat actors to steal passwords, authentication credentials, browser cookies and other valuable information.

The attackers also attempted to capture network traffic and identify administrator accounts, enabling them to expand their control across the victim’s network before launching the ransomware.

Security researchers say this stage allows cybercriminals to maximize the impact of the attack by compromising additional systems before encrypting files.

Final Stage Encrypts Files

Once sufficient access had been established, the attackers executed the GodDamn ransomware payload.

The malware encrypted files across the affected systems and displayed a ransom note demanding payment in exchange for restoring access to the data.

Like many modern ransomware attacks, the operation combines credential theft, privilege escalation and defense evasion before deploying encryption, making detection and response significantly more difficult.

Researchers Warn of Growing Sophistication

Symantec researchers believe the latest version of GodDamn ransomware demonstrates how ransomware groups continue to improve their capabilities.

The use of the recently identified PoisonX malicious driver represents a significant advancement in defensive evasion techniques.

According to Symantec’s threat hunting team, the attackers are actively refining their tools, tactics and procedures to make future attacks more effective and more difficult for organizations to detect.

Cybersecurity experts continue to advise organizations to strengthen endpoint protection, enforce multi-factor authentication, keep software fully updated, monitor privileged accounts and maintain secure offline backups to reduce the impact of ransomware incidents.

As ransomware groups continue adopting more sophisticated methods to bypass traditional security tools, researchers warn that organizations must remain vigilant and continuously improve their cyber defenses against evolving threats.

By Zobia Zulfqar

Zobia covers current affairs, international news, business, technology, innovation, and trending topics, providing accurate, timely, and insightful reporting for a global audience.

Comments