GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver to Disable Defenses
GodDamn ransomware represents the third iteration of ransomware developed by Hyadina, following Monster (2022) and Beast (2024). A recent attack in June 2026 demonstrates sophisticated tactics including AnyDesk for remote access, NirSoft-based credential harvesting tools, and the PoisonX kernel driver for defense evasion. PoisonX is a malicious driver signed by Microsoft that terminates security processes at the kernel level. Attackers used PsExec for lateral movement, deployed comprehensive credential theft toolkits comprising 14 different tools, and disabled endpoint defenses before encrypting files. The encrypted files were renamed with victim organization names as extensions. The four-day dwell period allowed attackers to stage payloads and conduct reconnaissance before triggering encryption across at least 10 hosts within the targeted organization.
AI Analysis
Technical Summary
GodDamn ransomware, attributed to the Hyadina threat actor, is a rebranded evolution of previous ransomware families Monster (2022) and Beast (2024). The June 2026 attack demonstrates advanced tactics including the use of AnyDesk for remote access, a suite of 14 credential harvesting tools based on NirSoft utilities, and the PoisonX kernel driver. PoisonX is a malicious driver signed by Microsoft that terminates security processes at the kernel level to evade detection and disable endpoint defenses. Lateral movement is achieved using PsExec. The attackers conduct a four-day dwell period for reconnaissance and payload staging before encrypting files on at least 10 hosts, renaming encrypted files with the victim organization's name as the extension. The attack chain incorporates multiple MITRE ATT&CK techniques such as credential dumping, defense evasion, lateral movement, and data encryption.
Potential Impact
The ransomware disables endpoint security defenses at the kernel level, allowing attackers to operate undetected for days. Credential harvesting and lateral movement tools enable widespread compromise within the targeted network. The encryption of files with organization-specific extensions results in data loss and operational disruption. The use of a signed malicious driver increases the difficulty of detection and mitigation by traditional security solutions.
Mitigation Recommendations
No official patch or remediation is available as this is a malware threat rather than a software vulnerability. Organizations should ensure endpoint detection and response solutions are updated to detect malicious signed drivers like PoisonX. Monitoring for unusual use of remote access tools such as AnyDesk and lateral movement tools like PsExec is recommended. Credential harvesting toolkits should be detected and blocked where possible. Incident response should focus on rapid containment and recovery. Since this is not a cloud service, remediation depends on organizational security controls. Patch status is not applicable; check vendor advisories of security products for detection updates.
Indicators of Compromise
- hash: 141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944
- hash: d28f0cfae377553fcb85918c29f4889b
- hash: df218168bf83d26386dfd4ece7aef2d0
- hash: 32e24780735a0148c3cc4ce7dda30ed9365397a9
- hash: 4a3418d78d8fe36b39d1ee5435796369b88a8762
- hash: 816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019
- hash: 5e85446910e732111ca9ac90f9ed8b1dee13c3314d2c5117dcf672994ce73bd6
- hash: 7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26
- hash: 8e4b218bdbd8e098fff749fe5e5bbf00275d21f398b34216a573224e192094b8
- hash: c92580318be4effdb37aa67145748826f6a9e285bc2426410dc280e61e3c7620
- hash: 31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc
- hash: faca9e856c369b63d6698c74b1d59b062a9a8d9fe84b8f753c299c9961026395
- hash: 863fa58aa1fe8a88626625b191d4722e
- hash: e7fb4bf69be5ac4583c0c02e26a17bd3cdef4c02
- hash: 45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220
- hash: fc3b93e042de5fa569a8379d46bce506
- hash: 1ba499bafaa369be58e795a150403c8729ef5d95
- hash: 5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd
- hash: e736229e890a138ccf7810e00a6bb50d
- hash: 10955a02ef3fd3f80f20062c401bf7960ff6ce94
- hash: 17fb52476016677db5a93505c4a1c356984bc1f6a4456870f920ac90a7846180
- hash: 2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d
- hash: 07e9f0b8627a95960e79e930fb099e84
- hash: 56bee9df5833a637f5c54d5911df98b0812fe643
- hash: d29670e684e40ddc89b47010c37cbc96737035b6
- hash: 233b795102dd9cd630aebddfe3c15bbb
- hash: b29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8
- hash: 4277a6be9b121a30564aca6ba32db272
- hash: 8e776dbb71eb8f42dffd3020175edef5
- hash: 7b01f64b7818d315ef7a2485c4ce2a5d6896cb58
- hash: 7d33e173819ecd502f790bf6d3da260a82dedfa2
- hash: 19bab15a34d5ad838ccf4d187eb40379c335fa56446d0f9621865b2767d4ac7d
- hash: 35296e7a34688ca3e3159bcdf92b4d60ba4173a2369aca531bb7bc959f68ed9c
- hash: 5c4c98d774eb100f9a89ae4e984c27a4f532e58c7cf8c87046dc87db5a065404
- hash: 8ff1c1967841a595d996a649c8134b7a5970dcf94624b237d1b089e7c6266167
- hash: 9fae3f15900e13ec3860a109555ecd33ca43d38907c63438c50a2d6d91bfee1d
- hash: e097f3b445b63b07afacde8d6a67f0be654dd51e228a3610fb0710a1f7e29a69
- hash: ece33e4b7e2d26eeca8ad9db4439f9801a7a77e332611116156738b1b0316046
GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver to Disable Defenses
Description
GodDamn ransomware represents the third iteration of ransomware developed by Hyadina, following Monster (2022) and Beast (2024). A recent attack in June 2026 demonstrates sophisticated tactics including AnyDesk for remote access, NirSoft-based credential harvesting tools, and the PoisonX kernel driver for defense evasion. PoisonX is a malicious driver signed by Microsoft that terminates security processes at the kernel level. Attackers used PsExec for lateral movement, deployed comprehensive credential theft toolkits comprising 14 different tools, and disabled endpoint defenses before encrypting files. The encrypted files were renamed with victim organization names as extensions. The four-day dwell period allowed attackers to stage payloads and conduct reconnaissance before triggering encryption across at least 10 hosts within the targeted organization.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
GodDamn ransomware, attributed to the Hyadina threat actor, is a rebranded evolution of previous ransomware families Monster (2022) and Beast (2024). The June 2026 attack demonstrates advanced tactics including the use of AnyDesk for remote access, a suite of 14 credential harvesting tools based on NirSoft utilities, and the PoisonX kernel driver. PoisonX is a malicious driver signed by Microsoft that terminates security processes at the kernel level to evade detection and disable endpoint defenses. Lateral movement is achieved using PsExec. The attackers conduct a four-day dwell period for reconnaissance and payload staging before encrypting files on at least 10 hosts, renaming encrypted files with the victim organization's name as the extension. The attack chain incorporates multiple MITRE ATT&CK techniques such as credential dumping, defense evasion, lateral movement, and data encryption.
Potential Impact
The ransomware disables endpoint security defenses at the kernel level, allowing attackers to operate undetected for days. Credential harvesting and lateral movement tools enable widespread compromise within the targeted network. The encryption of files with organization-specific extensions results in data loss and operational disruption. The use of a signed malicious driver increases the difficulty of detection and mitigation by traditional security solutions.
Mitigation Recommendations
No official patch or remediation is available as this is a malware threat rather than a software vulnerability. Organizations should ensure endpoint detection and response solutions are updated to detect malicious signed drivers like PoisonX. Monitoring for unusual use of remote access tools such as AnyDesk and lateral movement tools like PsExec is recommended. Credential harvesting toolkits should be detected and blocked where possible. Incident response should focus on rapid containment and recovery. Since this is not a cloud service, remediation depends on organizational security controls. Patch status is not applicable; check vendor advisories of security products for detection updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.security.com/threat-intelligence/goddamn-ransomware-beast-rebrand"]
- Adversary
- Hyadina
- Pulse Id
- 6a4f99c77bfb2dde4f69e174
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944 | — | |
hashd28f0cfae377553fcb85918c29f4889b | — | |
hashdf218168bf83d26386dfd4ece7aef2d0 | — | |
hash32e24780735a0148c3cc4ce7dda30ed9365397a9 | — | |
hash4a3418d78d8fe36b39d1ee5435796369b88a8762 | — | |
hash816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019 | — | |
hash5e85446910e732111ca9ac90f9ed8b1dee13c3314d2c5117dcf672994ce73bd6 | — | |
hash7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26 | — | |
hash8e4b218bdbd8e098fff749fe5e5bbf00275d21f398b34216a573224e192094b8 | — | |
hashc92580318be4effdb37aa67145748826f6a9e285bc2426410dc280e61e3c7620 | — | |
hash31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc | — | |
hashfaca9e856c369b63d6698c74b1d59b062a9a8d9fe84b8f753c299c9961026395 | — | |
hash863fa58aa1fe8a88626625b191d4722e | — | |
hashe7fb4bf69be5ac4583c0c02e26a17bd3cdef4c02 | — | |
hash45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220 | — | |
hashfc3b93e042de5fa569a8379d46bce506 | — | |
hash1ba499bafaa369be58e795a150403c8729ef5d95 | — | |
hash5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd | — | |
hashe736229e890a138ccf7810e00a6bb50d | — | |
hash10955a02ef3fd3f80f20062c401bf7960ff6ce94 | — | |
hash17fb52476016677db5a93505c4a1c356984bc1f6a4456870f920ac90a7846180 | — | |
hash2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d | — | |
hash07e9f0b8627a95960e79e930fb099e84 | — | |
hash56bee9df5833a637f5c54d5911df98b0812fe643 | — | |
hashd29670e684e40ddc89b47010c37cbc96737035b6 | — | |
hash233b795102dd9cd630aebddfe3c15bbb | — | |
hashb29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8 | — | |
hash4277a6be9b121a30564aca6ba32db272 | — | |
hash8e776dbb71eb8f42dffd3020175edef5 | — | |
hash7b01f64b7818d315ef7a2485c4ce2a5d6896cb58 | — | |
hash7d33e173819ecd502f790bf6d3da260a82dedfa2 | — | |
hash19bab15a34d5ad838ccf4d187eb40379c335fa56446d0f9621865b2767d4ac7d | — | |
hash35296e7a34688ca3e3159bcdf92b4d60ba4173a2369aca531bb7bc959f68ed9c | — | |
hash5c4c98d774eb100f9a89ae4e984c27a4f532e58c7cf8c87046dc87db5a065404 | — | |
hash8ff1c1967841a595d996a649c8134b7a5970dcf94624b237d1b089e7c6266167 | — | |
hash9fae3f15900e13ec3860a109555ecd33ca43d38907c63438c50a2d6d91bfee1d | — | |
hashe097f3b445b63b07afacde8d6a67f0be654dd51e228a3610fb0710a1f7e29a69 | — | |
hashece33e4b7e2d26eeca8ad9db4439f9801a7a77e332611116156738b1b0316046 | — |
Threat ID: 6a50a01268715ace4335962d
Added to database: 07/10/2026, 07:32:34 UTC
Last enriched: 07/10/2026, 07:47:26 UTC
Last updated: 07/10/2026, 07:48:08 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.