GodDamn ransomware (Beast/Monster rebrand) blinds EDR with 'PoisonX', a malicious kernel driver Microsoft signed
Symantec's Threat Hunter Team assesses that GodDamn — surfaced as a "new" ransomware, first observed 2026-05-21 — is the latest rebrand in a lineage it tracks to a developer called Hyadina: Monster (2022) → Beast → GodDamn, the last sharing significant code overlap with Beast (Symantec/Broadcom, 2026-07-09). The investigated early-June intrusion is a conventional human-operated ransomware kill chain with one standout component. AnyDesk appeared on the first host staged under the user's Music folder — a placement Symantec reads as manual attacker delivery, not a normal install — and began beaconing to relay infrastructure. The operators then dropped a defence-evasion binary masquerading as a Symantec product, which installed the PoisonX kernel driver (g11.sys) into the system driver store, staged a 14-tool credential-harvesting kit (13 NirSoft utilities plus Mimikatz) under the profile, moved laterally across 10-plus hosts via PsExec while re-installing AnyDesk on each for unattended access (writing ad.security.interactive_access=2 to suppress the consent prompt and registering it as auto-start services), disabled Windows Defender real-time monitoring, and finally deployed the encrypter (Symantec/Broadcom, 2026-07-09; The Hacker News, 2026-07-09).
PoisonX is what distinguishes this case from routine bring-your-own-vulnerable-driver tradecraft. Rather than abusing a flaw in a legitimate signed driver, PoisonX is a driver built to be malicious that its developers nonetheless got signed under Microsoft's "Windows Hardware Compatibility Publisher" program; once loaded it terminates security-product processes and strips user-mode API hooks, so it disables EDR visibility rather than merely evading it. It was first documented earlier in 2026 killing the CrowdStrike Falcon service via a crafted IOCTL to an undocumented driver interface (Symantec/Broadcom, 2026-07-09).
the PoisonX driver seems to be slightly more unusual, in that it appears to be a malicious driver that its developers succeeded in getting signed by Microsoft, and it is now being used by ransomware attackers.
Placing AnyDesk under the user Music folder rather than a standard installation directory is consistent with manual delivery by an attacker who had already obtained access to the host by an earlier means.
Defender actions
- Hunt for a kernel driver-load event immediately followed (same host, short window) by security-product service-stop events or the disappearance of user-mode API hooks — the behavioural signal that survives PoisonX's valid Microsoft signature; do not rely on code-signing allowlisting to catch it.
- Alert on remote-access software (AnyDesk) executing from a user profile folder such as Music rather than Program Files, on AnyDesk registered as an auto-start Windows service, and on
ad.security.interactive_access=2in an AnyDesk config (suppresses the interactive consent prompt). - Flag
Set-MpPreference -DisableRealtimeMonitoring $trueand PsExec lateral movement (psexesvc.exe → services.exe → wininit.exe lineage) with credential-tool staging under a user profile directory.
ATT&CK mapping
9 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Persistence TA0003
T1543.003Create or Modify System Process: Windows Service
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
T1547.006Boot or Logon Autostart Execution: Kernel Modules and Extensions
Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.
Privilege Escalation TA0004
T1543.003Create or Modify System Process: Windows Service
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
T1547.006Boot or Logon Autostart Execution: Kernel Modules and Extensions
Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.
Defense Impairment TA0112
T1553.002Subvert Trust Controls: Code Signing
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature.
T1685Disable or Modify Tools
Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.
Credential Access TA0006
T1003.001OS Credential Dumping: LSASS Memory
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.
T1555.003Credentials from Password Stores: Credentials from Web Browsers
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
Lateral Movement TA0008
T1021.002Remote Services: SMB/Windows Admin Shares
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
Command and Control TA0011
T1219.002Remote Access Tools: Remote Desktop Software
An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Impact TA0040
T1486Data Encrypted for Impact
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Sources
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.