At a Glance
| Malware family | GodDamn ransomware (rebrand of Beast, formerly Monster) |
|---|---|
| Threat actor | Hyadina, a ransomware-as-a-service developer tracked by Symantec |
| Target / victims | Enterprise Windows networks, mainly US firms in healthcare, manufacturing, and education; at least 10 hosts in the investigated org |
| Delivery vector | Hands-on intrusion; initial access unknown; AnyDesk for remote control |
| Key capabilities | PoisonX signed kernel driver to kill EDR, Mimikatz/NirSoft credential theft, PsExec spread, file encryption |
| Source | Symantec Threat Hunter Team (Broadcom) |
TL;DR
GodDamn ransomware looks new, but it is not. Symantec says it is “the latest rebrand of the Beast ransomware,” itself a rebrand of Monster from 2022. The crew behind it, tracked as Hyadina, now wields a Microsoft-signed malicious driver to switch off endpoint defenses before it encrypts.
Delivery
The initial entry point stayed unknown in the case Symantec examined. Even so, the tradecraft was clear. The operators worked hands-on inside the network.
They installed AnyDesk for remote control and dropped it in a user’s Music folder. That odd location points to manual delivery after earlier access. GodDamn first surfaced in the wild on May 21, 2026, and this intrusion began days later.
Infection Chain

The attack unfolded over roughly a week. First, the operators staged a defense-evasion tool disguised as a Symantec product. It dropped a signed kernel driver called PoisonX.
PoisonX carries a Microsoft signature, so Windows loads it without complaint. Once active, it kills security processes and strips user-mode API hooks. That blinds the endpoint. Alongside it, the crew staged a broad credential-harvesting kit built on Mimikatz and 14 NirSoft utilities, plus a network scanner. Together those tools can pull passwords from browsers, Windows Credential Manager, email clients, VNC sessions, and Wi-Fi profiles.
After a short pause, lateral movement began through PsExec. The operators disabled Windows Defender real-time monitoring and mounted admin shares with stolen credentials. They then installed AnyDesk for unattended access on each host, suppressed its consent prompt, and added auto-start services for persistence. A reusable installer script pushed the setup to at least 10 hosts. On June 3, the GodDamn ransomware payload landed on a separate segment.
The PoisonX driver
PoisonX is the headline upgrade. It first appeared in early 2026, when an attacker used it to kill the CrowdStrike Falcon service through an undocumented interface. Most evasion drivers abuse a flaw in a legitimate signed driver, a “bring your own vulnerable driver” trick. Symantec says PoisonX is different. It calls the file “a malicious driver that its developers succeeded in getting signed by Microsoft.” Symantec’s Brigid O Gorman added that “it shouldn’t have been signed by Microsoft.” The driver was posted to GitHub in April by an author who billed it as a research tool.
Four years, three names
Hyadina follows a pattern. It emerged in 2022 with Monster, a Delphi locker aimed at 32-bit Windows. It rebranded to Beast in June 2024, adding Linux and VMware ESXi support and more languages. Attribution rests on strong code overlap, so the lineage is well supported, though the specific affiliate in this attack is unnamed. GodDamn ransomware keeps the old toolset but sharpens the evasion.
Command and Control and Data Theft
The operators leaned on AnyDesk relay infrastructure for remote control. A four-day gap between first activity and encryption points to a dwell period. Symantec says the crew may have staged payloads, stolen data, or run more recon during that window.
When encryption ran, the malware renamed files. Some attacks use a .God8Damn extension. In this incident, the operators used the victim’s own name as the extension, an unusual choice. Per CYFIRMA, the ransom note tells victims to make contact by email or the qTox messaging app.
Defense and Detection
Watch for remote-access tools in strange places. AnyDesk under a Music folder is a clear red flag. Also monitor for newly loaded kernel drivers with odd signatures, and for attempts to disable Defender real-time monitoring.
Beyond that, alert on PsExec-driven lateral movement and admin-share mounts using unexpected accounts. Treat Mimikatz and NirSoft staging folders as high-signal, and reset any credentials they could reach. Enable Microsoft’s vulnerable driver blocklist and memory integrity, though Gorman warns blocklist updates can lag by weeks. Behavioral detection helps most here, since GodDamn ransomware leans on otherwise legitimate tools. For the full technical write-up and indicators, read Symantec’s report on the Beast rebrand.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.