2026-07-11 · view entry permalink →
GodDamn ransomware (Beast/Monster rebrand) blinds EDR with 'PoisonX', a malicious kernel driver Microsoft signed
Symantec's Threat Hunter Team assesses that GodDamn — surfaced as a "new" ransomware, first observed 2026-05-21 — is the latest rebrand in a lineage it tracks to a developer called Hyadina: Monster (2022) → Beast → GodDamn, the last sharing significant code overlap with Beast (Symantec/Broadcom, 2026-07-09). The investigated early-June intrusion is a conventional human-operated ransomware kill chain with one standout component. AnyDesk appeared on the first host staged under the user's Music folder — a placement Symantec reads as manual attacker delivery, not a normal install — and began beaconing to relay infrastructure. The operators then dropped a defence-evasion binary masquerading as a Symantec product, which installed the PoisonX kernel driver (g11.sys) into the system driver store, staged a 14-tool credential-harvesting kit (13 NirSoft utilities plus Mimikatz) under the profile, moved laterally across 10-plus hosts via PsExec while re-installing AnyDesk on each for unattended access (writing ad.security.interactive_access=2 to suppress the consent prompt and registering it as auto-start services), disabled Windows Defender real-time monitoring, and finally deployed the encrypter (Symantec/Broadcom, 2026-07-09; The Hacker News, 2026-07-09).
PoisonX is what distinguishes this case from routine bring-your-own-vulnerable-driver tradecraft. Rather than abusing a flaw in a legitimate signed driver, PoisonX is a driver built to be malicious that its developers nonetheless got signed under Microsoft's "Windows Hardware Compatibility Publisher" program; once loaded it terminates security-product processes and strips user-mode API hooks, so it disables EDR visibility rather than merely evading it. It was first documented earlier in 2026 killing the CrowdStrike Falcon service via a crafted IOCTL to an undocumented driver interface (Symantec/Broadcom, 2026-07-09).
the PoisonX driver seems to be slightly more unusual, in that it appears to be a malicious driver that its developers succeeded in getting signed by Microsoft, and it is now being used by ransomware attackers.
Placing AnyDesk under the user Music folder rather than a standard installation directory is consistent with manual delivery by an attacker who had already obtained access to the host by an earlier means.