A newly identified ransomware variant, dubbed GodDamn, uses the PoisonX kernel driver to systematically disable endpoint security products before encrypting files—a dangerous evolution in defense evasion tactics.

According to research from the Symantec Threat Hunter Team, first reported by The Hacker News on 9 July, the GodDamn ransomware family was first observed in the wild on May 21, 2026. The core of its attack methodology involves using the legitimate, but vulnerable, PoisonX driver. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), allows the malware to load a signed driver into the Windows kernel, then exploit its vulnerabilities to gain high-level system access and forcibly terminate or bypass security software processes that operate in user mode.

Researchers assess with high confidence that GodDamn is a rebrand of the existing Beast ransomware, likely operated by the Hyadina threat actor. Once installed, the ransomware has been observed deploying tools such as AnyDesk and PsExec for lateral movement within compromised networks. This practice of rebranding is a common tactic within the Ransomware-as-a-Service (RaaS) ecosystem, allowing threat actors to reset a tarnished reputation, evade existing detection rules, and create confusion among defenders.

The attack exposes a critical gap in many traditional endpoint protection strategies. Security tools that rely primarily on signature-based detection or operate only at the user level are particularly vulnerable to kernel-level interference. By operating at the system's core, the ransomware can effectively blind the very defenses designed to stop it.

The discovery underscores a significant shift required in defensive postures. Cybersecurity experts argue that reliance on specific malware hashes or file names is increasingly insufficient. The more effective approach focuses on tracking the TTPs—the tactics, techniques, and procedures—used by threat actors. In this case, the critical indicators are the unauthorized loading of a known vulnerable driver and subsequent anomalous kernel activity, rather than the ransomware payload itself.

To counter such threats, organizations are advised to implement layered defenses that prioritize kernel-level integrity. This includes enforcing strict driver loading policies to prevent the introduction of vulnerable drivers, deploying advanced endpoint detection and response (EDR) solutions with deep kernel monitoring capabilities, and developing real-time response protocols for suspicious kernel activity.


新近識別的勒索軟件變種 GodDamn,利用 PoisonX 核心驅動程式,在加密檔案前系統性癱瘓端點安全產品——這代表防禦迴避策略的一種危險演進。

根據賽門鐵克威脅獵人團隊的研究(由 The Hacker News 於 7 月 9 日率先報導),GodDamn 勒索軟件家族首次於野外被觀測到的時間是 2026 年 5 月 21 日。其攻擊方法的核心涉及利用合法但有漏洞的 PoisonX 驅動程式。這種被稱為「自帶有漏洞驅動程式」(BYOVD)的技術,允許惡意軟件將一個已簽署的驅動程式載入 Windows 核心,然後利用其漏洞取得高等級系統存取權限,並強制終止或繞過在使用者模式下運行的安全軟件程式。

研究人員高度確信 GodDamn 是現有 Beast 勒索軟件的重新品牌,可能由 Hyadina 威脅行為者操作。一旦安裝,該勒索軟件已被觀測到部署 AnyDesk 和 PsExec 等工具,用於在被入侵的網絡內進行橫向移動。這種重新品牌的做法在 Ransomware-as-a-Service (RaaS) 生態系統中是常見策略,使威脅行為者能夠重置受損的聲譽、迴避現有的偵測規則,並在防禦者中製造混淆。

此攻擊暴露了許多傳統端點防護策略的關鍵缺口。主要依賴特徵碼偵測或僅在使用者層級運作的安全工具,特別容易受到核心層級干擾的影響。透過在系統核心運作,勒索軟件能有效癱瘓那些旨在阻止它的防禦措施。

這次發現突顯了防禦姿態所需的重大轉變。網絡安全專家認為,依賴特定的惡意軟件 hash 值或檔案名稱越來越不夠用。更有效的方法是專注於追蹤威脅行為者使用的 TTPs(戰術、技巧及程序)。在此案例中,關鍵指標是未經授權載入已知有漏洞的驅動程式以及隨後的異常核心行為,而非勒索軟件載荷本身。

為了對抗此類威脅,建議組織實施分層防禦,優先保障核心層級的完整性。這包括實施嚴格的驅動程式載入政策以防止引入有漏洞的驅動程式、部署具備深度核心監控能力的進階端點偵測與回應(EDR)解決方案,並制定針對可疑核心活動的即時回應協議。

新聞來源 / Original News Source