Last updated: July 10, 2026 at 9:23 AM UTC
All 586 Vulnerability 210 Breach 110 Threat 259 Defense 7
Tag: defense-evasion (1 article)Clear

GodDamn ransomware uses a Microsoft-signed malicious driver to disable defenses

Symantec detailed GodDamn, a ransomware operation that disables endpoint defenses using PoisonX, a malicious kernel driver its developers managed to get signed by Microsoft, an unusual escalation over the more common tactic of abusing a legitimate vulnerable driver. In an early-June attack, the operators used AnyDesk for remote access and a credential-harvesting toolkit that pulls passwords from browsers, Windows Credential Manager, cached domain credentials, email clients, and network traffic, before deploying the ransomware. Alongside the signed driver, they ran a user-mode tool disguised as a Symantec product to blind security software. Symantec links GodDamn to a developer it tracks as Hyadina and says the group is actively improving its defense-evasion capabilities.

Check
Watch for bring-your-own-driver activity and processes masquerading as security products, audit remote-access tools like AnyDesk in your environment, and monitor for credential-harvesting across browsers and Windows credential stores.
Affected
Windows organizations where attackers gain a foothold; GodDamn uses a Microsoft-signed malicious driver to switch off endpoint defenses, harvests credentials broadly, then encrypts systems, making detection before deployment much harder.
Fix
Enable driver block lists and tamper protection, restrict who can load kernel drivers, tightly control remote-access software, enforce phishing-resistant MFA, and keep monitored offline backups so encryption stays recoverable.