
GodDamn Ransomware Attack: PoisonX Driver Used for Defense Evasion (June 2026)
GodDamn Ransomware: What Happened
In early June 2026, a targeted organization experienced a coordinated ransomware attack attributed to the GodDamn ransomware group, linked to the Hyadina threat actor. The attackers leveraged the PoisonX kernel driver (g11.sys), a malicious but signed driver, to systematically disable antivirus and endpoint detection and response (EDR) tools across at least 10 hosts. Prior to ransomware deployment, the threat actors established remote access using AnyDesk, configured as an auto-start service, and used a NirSoft-based credential harvesting tool to extract sensitive information. The campaign also involved a user-mode defense evasion tool masquerading as a legitimate Symantec product (symantec.exe), further complicating detection and response efforts.
Attack Vector & Technical Detail
Initial access was achieved through the installation of AnyDesk, which provided persistent remote access for the attackers. The use of the PoisonX driver (g11.sys) enabled the threat actors to disable critical endpoint defenses at the kernel level, bypassing standard security controls. Credential harvesting targeted a wide array of sources, including browsers, Windows Credential Manager, cached domain credentials, VNC sessions, email clients, Wi-Fi profiles, and live network traffic. Lateral movement was facilitated by PsExec, and the attackers relied on MITRE ATT&CK tactics TA0001 (Initial Access), TA0003 (Persistence), TA0005 (Defense Evasion), TA0008 (Lateral Movement), and TA0009 (Collection). The defense evasion tool symantec.exe was specifically designed to appear as a legitimate security product, increasing the likelihood of evading detection by security teams.
Confirmed Impact
The attack resulted in the disabling of antivirus and EDR tools, allowing the GodDamn ransomware to encrypt data and exfiltrate credentials across multiple hosts within the targeted organization. The use of a signed malicious driver (PoisonX) significantly increased the attackers' ability to evade detection and maintain persistence. While the affected organization has not been named, the attack demonstrates global reach and highlights the risk posed to organizations with insufficient driver and endpoint protection controls. The compromise of credentials and widespread encryption may have regulatory implications, particularly for organizations subject to data protection laws.
What This Means for Your Organization
The GodDamn ransomware attack underscores the importance of monitoring for unauthorized driver installations and the use of remote access tools such as AnyDesk. Organizations should implement strict controls around the installation of kernel drivers and regularly audit for the presence of known malicious files, including g11.sys and symantec.exe. Proactive credential hygiene and network segmentation can limit the impact of credential harvesting and lateral movement. Security teams must remain vigilant for defense evasion techniques that leverage legitimate-looking tools and signed drivers.
Detection & Response
- Immediate: Isolate affected hosts and review driver installations for unauthorized or suspicious files, particularly g11.sys.
- Hunt: Search for the presence of symantec.exe, AnyDesk configured as an auto-start service, and evidence of NirSoft-based credential harvesting activity.
- Patch: N/A (no CVEs associated with this attack; focus on driver and endpoint security controls).
Source: https://thehackernews.com/2026/07/goddamn-ransomware-uses-poisonx-driver.html
Start Your 14-Day Free Trial
Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.
Get Started Free

