ctipilot.ch

Hyadina

actor · actor:hyadina

Symantec-tracked ransomware developer behind the Monster (2022) -> Beast -> GodDamn locker lineage; a June 2026 GodDamn intrusion used the Microsoft-signed malicious kernel driver PoisonX for BYOVD-style EDR blinding, AnyDesk for unattended access, PsExec lateral movement and a NirSoft/Mimikatz credential-harvesting kit (Symantec/Broadcom, 2026-07-09).

Coverage timeline
1
first 2026-07-11 → last 2026-07-11
Peak priority
notable
1 notable
Sources cited
3
3 hosts
Sections touched
1
active-threats
Co-occurring entities
1
see Related entities below
ATT&CK techniques
9
pinned v19.1 · see below

ATT&CK techniques

9 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Persistence TA0003

T1543.003Create or Modify System Process: Windows Service×1

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

Evidence: 2026-07-11/goddamn-ransomware-poisonx-microsoft-signed-driver · ATT&CK page ↗

T1547.006Boot or Logon Autostart Execution: Kernel Modules and Extensions×1

Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.

Evidence: 2026-07-11/goddamn-ransomware-poisonx-microsoft-signed-driver · ATT&CK page ↗

Privilege Escalation TA0004

T1543.003Create or Modify System Process: Windows Service×1

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

Evidence: 2026-07-11/goddamn-ransomware-poisonx-microsoft-signed-driver · ATT&CK page ↗

T1547.006Boot or Logon Autostart Execution: Kernel Modules and Extensions×1

Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.

Evidence: 2026-07-11/goddamn-ransomware-poisonx-microsoft-signed-driver · ATT&CK page ↗

Defense Impairment TA0112

T1553.002Subvert Trust Controls: Code Signing×1

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature.

Evidence: 2026-07-11/goddamn-ransomware-poisonx-microsoft-signed-driver · ATT&CK page ↗

T1685Disable or Modify Tools×1

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.

Evidence: 2026-07-11/goddamn-ransomware-poisonx-microsoft-signed-driver · ATT&CK page ↗

Credential Access TA0006

T1003.001OS Credential Dumping: LSASS Memory×1

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.

Evidence: 2026-07-11/goddamn-ransomware-poisonx-microsoft-signed-driver · ATT&CK page ↗

T1555.003Credentials from Password Stores: Credentials from Web Browsers×1

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

Evidence: 2026-07-11/goddamn-ransomware-poisonx-microsoft-signed-driver · ATT&CK page ↗

Lateral Movement TA0008

T1021.002Remote Services: SMB/Windows Admin Shares×1

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

Evidence: 2026-07-11/goddamn-ransomware-poisonx-microsoft-signed-driver · ATT&CK page ↗

Command and Control TA0011

T1219.002Remote Access Tools: Remote Desktop Software×1

An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.

Evidence: 2026-07-11/goddamn-ransomware-poisonx-microsoft-signed-driver · ATT&CK page ↗

Impact TA0040

T1486Data Encrypted for Impact×1

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

Evidence: 2026-07-11/goddamn-ransomware-poisonx-microsoft-signed-driver · ATT&CK page ↗

Story timeline

  1. 2026-07-11GodDamn ransomware (Beast/Monster rebrand) blinds EDR with 'PoisonX', a malicious kernel driver Microsoft signed
    active-threatsSymantec: a driver built malicious from the outset — yet WHCP-signed — defeats code-signing allowlisting to kill EDR before GodDamn encrypts

Where this entity is cited

  • active-threats1

Source distribution

  • infosecurity-magazine.com1 (33%)
  • security.com1 (33%)
  • thehackernews.com1 (33%)

Related entities

Entries about Hyadina (1)

2026-07-11 · view entry permalink →

NOTABLENATOB2

GodDamn ransomware (Beast/Monster rebrand) blinds EDR with 'PoisonX', a malicious kernel driver Microsoft signed

Symantec's Threat Hunter Team assesses that GodDamn — surfaced as a "new" ransomware, first observed 2026-05-21 — is the latest rebrand in a lineage it tracks to a developer called Hyadina: Monster (2022) → Beast → GodDamn, the last sharing significant code overlap with Beast (Symantec/Broadcom, 2026-07-09). The investigated early-June intrusion is a conventional human-operated ransomware kill chain with one standout component. AnyDesk appeared on the first host staged under the user's Music folder — a placement Symantec reads as manual attacker delivery, not a normal install — and began beaconing to relay infrastructure. The operators then dropped a defence-evasion binary masquerading as a Symantec product, which installed the PoisonX kernel driver (g11.sys) into the system driver store, staged a 14-tool credential-harvesting kit (13 NirSoft utilities plus Mimikatz) under the profile, moved laterally across 10-plus hosts via PsExec while re-installing AnyDesk on each for unattended access (writing ad.security.interactive_access=2 to suppress the consent prompt and registering it as auto-start services), disabled Windows Defender real-time monitoring, and finally deployed the encrypter (Symantec/Broadcom, 2026-07-09; The Hacker News, 2026-07-09).

PoisonX is what distinguishes this case from routine bring-your-own-vulnerable-driver tradecraft. Rather than abusing a flaw in a legitimate signed driver, PoisonX is a driver built to be malicious that its developers nonetheless got signed under Microsoft's "Windows Hardware Compatibility Publisher" program; once loaded it terminates security-product processes and strips user-mode API hooks, so it disables EDR visibility rather than merely evading it. It was first documented earlier in 2026 killing the CrowdStrike Falcon service via a crafted IOCTL to an undocumented driver interface (Symantec/Broadcom, 2026-07-09).

the PoisonX driver seems to be slightly more unusual, in that it appears to be a malicious driver that its developers succeeded in getting signed by Microsoft, and it is now being used by ransomware attackers.

Placing AnyDesk under the user Music folder rather than a standard installation directory is consistent with manual delivery by an attacker who had already obtained access to the host by an earlier means.

Symantec Threat Hunter Team (Broadcom) 2026-07-09
threat11 Jul 04:30Zmulti-sourceOpen finding ↗