Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver to Disable Defenses

0
Medium
Published: 07/09/2026 (07/09/2026, 12:53:27 UTC)
Source: AlienVault OTX General

Description

GodDamn ransomware represents the third iteration of ransomware developed by Hyadina, following Monster (2022) and Beast (2024). A recent attack in June 2026 demonstrates sophisticated tactics including AnyDesk for remote access, NirSoft-based credential harvesting tools, and the PoisonX kernel driver for defense evasion. PoisonX is a malicious driver signed by Microsoft that terminates security processes at the kernel level. Attackers used PsExec for lateral movement, deployed comprehensive credential theft toolkits comprising 14 different tools, and disabled endpoint defenses before encrypting files. The encrypted files were renamed with victim organization names as extensions. The four-day dwell period allowed attackers to stage payloads and conduct reconnaissance before triggering encryption across at least 10 hosts within the targeted organization.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 07:47:26 UTC

Technical Analysis

GodDamn ransomware, attributed to the Hyadina threat actor, is a rebranded evolution of previous ransomware families Monster (2022) and Beast (2024). The June 2026 attack demonstrates advanced tactics including the use of AnyDesk for remote access, a suite of 14 credential harvesting tools based on NirSoft utilities, and the PoisonX kernel driver. PoisonX is a malicious driver signed by Microsoft that terminates security processes at the kernel level to evade detection and disable endpoint defenses. Lateral movement is achieved using PsExec. The attackers conduct a four-day dwell period for reconnaissance and payload staging before encrypting files on at least 10 hosts, renaming encrypted files with the victim organization's name as the extension. The attack chain incorporates multiple MITRE ATT&CK techniques such as credential dumping, defense evasion, lateral movement, and data encryption.

Potential Impact

The ransomware disables endpoint security defenses at the kernel level, allowing attackers to operate undetected for days. Credential harvesting and lateral movement tools enable widespread compromise within the targeted network. The encryption of files with organization-specific extensions results in data loss and operational disruption. The use of a signed malicious driver increases the difficulty of detection and mitigation by traditional security solutions.

Mitigation Recommendations

No official patch or remediation is available as this is a malware threat rather than a software vulnerability. Organizations should ensure endpoint detection and response solutions are updated to detect malicious signed drivers like PoisonX. Monitoring for unusual use of remote access tools such as AnyDesk and lateral movement tools like PsExec is recommended. Credential harvesting toolkits should be detected and blocked where possible. Incident response should focus on rapid containment and recovery. Since this is not a cloud service, remediation depends on organizational security controls. Patch status is not applicable; check vendor advisories of security products for detection updates.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.security.com/threat-intelligence/goddamn-ransomware-beast-rebrand"]
Adversary
Hyadina
Pulse Id
6a4f99c77bfb2dde4f69e174
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944
hashd28f0cfae377553fcb85918c29f4889b
hashdf218168bf83d26386dfd4ece7aef2d0
hash32e24780735a0148c3cc4ce7dda30ed9365397a9
hash4a3418d78d8fe36b39d1ee5435796369b88a8762
hash816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019
hash5e85446910e732111ca9ac90f9ed8b1dee13c3314d2c5117dcf672994ce73bd6
hash7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26
hash8e4b218bdbd8e098fff749fe5e5bbf00275d21f398b34216a573224e192094b8
hashc92580318be4effdb37aa67145748826f6a9e285bc2426410dc280e61e3c7620
hash31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc
hashfaca9e856c369b63d6698c74b1d59b062a9a8d9fe84b8f753c299c9961026395
hash863fa58aa1fe8a88626625b191d4722e
hashe7fb4bf69be5ac4583c0c02e26a17bd3cdef4c02
hash45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220
hashfc3b93e042de5fa569a8379d46bce506
hash1ba499bafaa369be58e795a150403c8729ef5d95
hash5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd
hashe736229e890a138ccf7810e00a6bb50d
hash10955a02ef3fd3f80f20062c401bf7960ff6ce94
hash17fb52476016677db5a93505c4a1c356984bc1f6a4456870f920ac90a7846180
hash2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d
hash07e9f0b8627a95960e79e930fb099e84
hash56bee9df5833a637f5c54d5911df98b0812fe643
hashd29670e684e40ddc89b47010c37cbc96737035b6
hash233b795102dd9cd630aebddfe3c15bbb
hashb29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8
hash4277a6be9b121a30564aca6ba32db272
hash8e776dbb71eb8f42dffd3020175edef5
hash7b01f64b7818d315ef7a2485c4ce2a5d6896cb58
hash7d33e173819ecd502f790bf6d3da260a82dedfa2
hash19bab15a34d5ad838ccf4d187eb40379c335fa56446d0f9621865b2767d4ac7d
hash35296e7a34688ca3e3159bcdf92b4d60ba4173a2369aca531bb7bc959f68ed9c
hash5c4c98d774eb100f9a89ae4e984c27a4f532e58c7cf8c87046dc87db5a065404
hash8ff1c1967841a595d996a649c8134b7a5970dcf94624b237d1b089e7c6266167
hash9fae3f15900e13ec3860a109555ecd33ca43d38907c63438c50a2d6d91bfee1d
hashe097f3b445b63b07afacde8d6a67f0be654dd51e228a3610fb0710a1f7e29a69
hashece33e4b7e2d26eeca8ad9db4439f9801a7a77e332611116156738b1b0316046

Threat ID: 6a50a01268715ace4335962d

Added to database: 07/10/2026, 07:32:34 UTC

Last enriched: 07/10/2026, 07:47:26 UTC

Last updated: 07/10/2026, 07:48:08 UTC

Views: 7

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses