GodDamn Ransomware Uses Microsoft-Signed Driver to Disable Security Tools
What happened
Researchers at Symantec have uncovered a ransomware campaign by the group Hyadina, a ransomware-as-a-service (RaaS) operation that has rebranded its malware under the name GodDamn. The group previously operated ransomware families known as Beast and Monster and primarily targets organizations in the United States.
In a recent attack against an unidentified victim, Hyadina combined legitimate remote management software, open-source credential theft tools, and a malicious Windows kernel driver called PoisonX to gain control of systems and evade detection.
The attackers first deployed AnyDesk, a legitimate remote access tool commonly abused by threat actors. They then installed PoisonX, a malicious driver that carried a valid Microsoft Hardware Compatibility signature. Running with kernel-level privileges, PoisonX disabled security processes and removed protections that endpoint security products rely on.
After weakening defenses, Hyadina deployed a toolkit containing 14 credential theft utilities, including Mimikatz and several tools from NirSoft, before moving laterally through the network using PsExec and ultimately encrypting systems with the GodDamn ransomware.
Symantec researcher Brigid O Gorman said the campaign highlights how legitimate software can become dangerous when abused by attackers. She noted that behavioral and adaptive security controls are essential because they can identify suspicious activity even when trusted tools are being used.
Who is affected
Hyadina has historically targeted organizations across multiple industries, including healthcare, manufacturing, and education, while focusing primarily on victims in the United States.
Organizations that rely heavily on traditional signature-based detection may face greater risk because the attack chain uses legitimate software, signed drivers, and widely available administrative tools to avoid raising alerts. The campaign also demonstrates how bring-your-own-vulnerable-driver (BYOVD) techniques continue to evolve faster than defensive blocklists.
Why CISOs should care
The campaign shows that a valid digital signature is no longer enough to establish trust. Attackers are increasingly combining legitimate remote administration tools, open-source security utilities, and signed drivers to bypass conventional endpoint protections.
Although Microsoft maintains a Vulnerable Driver Blocklist to stop known malicious drivers, Symantec warns there can be delays before newly discovered drivers are added and blocklist updates reach enterprise devices. This creates a window of opportunity that attackers can exploit.
For security leaders, the incident reinforces the need for behavioral detection, continuous monitoring, and rapid response capabilities rather than relying solely on file reputation or trusted signatures.
3 practical actions
Enable behavioral detection and endpoint protection capable of identifying suspicious activity, even when legitimate tools are used.
Monitor and restrict the use of remote management software, credential dumping tools, and administrative utilities such as PsExec.
Keep Microsoft vulnerable driver protections enabled and ensure endpoints receive blocklist and security updates as quickly as possible.


