GodDamn ransomware: Beast rebrand, signed EDR-killer driver
Symantec attributes a new family, GodDamn, as a Beast rebrand shipping the PoisonX driver (g11.sys) — a Microsoft-signed kernel BYOVD used to neutralize endpoint defenses.
Symantec’s Threat Hunter Team attributes a new ransomware family, GodDamn, as a rebrand of Beast — itself an enhanced version of the Delphi-based Monster from March 2022. First seen in the wild 2026-05-21. Confirmed by Symantec, carried by The Hacker News on 2026-07-09. Lead detail: the family ships a kernel driver, g11.sys, that Symantec says its developers succeeded in getting Microsoft-signed. That driver, “PoisonX,” neutralizes endpoint defenses on the host before encryption runs.
What’s confirmed
- New family, old lineage. GodDamn = rebrand of Beast = enhanced Monster. Attribution: Symantec Threat Hunter Team. Confidence: high.
- First observed. 2026-05-21 in the wild. Confidence: high.
- Developer moniker. “Hyadina,” per Symantec. Confidence: high.
- PoisonX driver.
g11.sys, Microsoft-signed, used to disable endpoint security software on the host — a bring-your-own-vulnerable-driver (BYOVD) capability, deployed as part of GodDamn’s defense-evasion stage. Confidence: high, per Symantec. - Second consumer of PoisonX. The Gentlemen ransomware-as-a-service scheme’s “GentleKiller” tool also uses PoisonX. Two distinct ransomware operations share the same driver. Confidence: high.
- File extension.
.God8Damnin most attacks; a variant renames files with the victim’s own name as extension. Confidence: high. - Contact channel. Ransom note directs victims to email or the qTox encrypted messaging app. Confidence: high.
- Post-compromise remote access. AnyDesk observed inside compromised environments. Confidence: high.
What’s uncertain — treat accordingly
- Initial access vector. Symantec: “The exact initial access vector is unknown.” Confidence: unconfirmed. Do not assume phishing, do not assume public-facing exploitation until Symantec or another vendor names it.
- The Microsoft-signed angle. Symantec’s phrasing — developers “succeeded in getting” the driver signed — implies abuse of a certificate authority or a submission-to-attestation pipeline, not the discovery of an already-signed legitimately vulnerable driver being repurposed. That is a materially different class of BYOVD, and it is not spelled out in Symantec’s public summary. Confidence: unconfirmed on mechanism; confirmed only that the driver is signed and in use.
- Victim geography and industry. No industries or victim organizations named in Symantec’s public summary. No leak site referenced. Confidence: unconfirmed.
- Volume. Between first observation on 2026-05-21 and Symantec’s publication, seven weeks elapsed. Whether that reflects targeted low-volume operations or a small-sample early telemetry window is not stated. Confidence: unconfirmed.
- Overlap with the Gentlemen crew. Shared tooling is not shared operations. Whether Hyadina developed PoisonX and licensed it to Gentlemen, or vice versa, or a third party sells it to both, is not addressed. Confidence: unconfirmed.
- No CVE, no IOCs published. Symantec’s public writeup does not attach a CVE for the signed driver, nor hashes for
g11.sysor the GodDamn payload. Detection engineering off this piece alone is not possible; wait for the vendor IOC drop. Confidence: as-stated.
What to do
- Any environment running EDR as the primary containment control. BYOVD is the specific technique category that turns off the sensor you are relying on to see the intrusion in the first place. Microsoft’s Vulnerable Driver Blocklist (documentation) is the standing mitigation and is on by default on Windows 11 22H2+ and Windows Server 2025; verify it is enforced, not just present. Once Symantec, Microsoft, or a third-party vendor publishes the
g11.syshash, expect an update to that list — track and deploy it. - Watch outbound qTox and AnyDesk. Neither is malicious in isolation; both are load-bearing here. AnyDesk into an environment that has no documented AnyDesk business use is a triage signal. qTox traffic from a server-class host is not normal.
- Ransomware-family tracking teams. File Beast lineage as active: Monster (March 2022) → Beast → GodDamn. Any leak site claiming to be new-brand ransomware over the next quarter that also uses
.God8Damn, qTox for contact, or the PoisonX driver is worth checking against this lineage rather than filed as unknown. - Anyone treating “Microsoft-signed” as a trust signal in driver allowlisting. The kernel-driver signing pipeline has been abused before (Sophos on the 2023 wave); this is another data point that a valid signature is not equivalent to a benign driver. Signature is a prerequisite for load, not a proof of intent.
Timeline
- March 2022 — Monster (Delphi-based) surfaces publicly.
- ~2023–2025 — Monster iterates into Beast.
- 2026-05-21 — GodDamn first observed in the wild, per Symantec.
- 2026-07-09 — Symantec publishes the Beast-rebrand attribution and PoisonX-driver detail; carried same day by The Hacker News.
Filed breaking, family attribution and BYOVD capability high-confidence per Symantec, initial-access and victim-set unconfirmed. Update when Symantec or Microsoft publishes hashes for g11.sys, when a leak site is identified, or when the signing-abuse mechanism is characterized.
Found this useful? Share it.


