What Happened
Symantec’s Threat Hunter Team published a report on July 9, 2026, detailing GodDamn, a ransomware operation active since at least May 21, 2026, and assessed as a rebrand of Beast ransomware. Beast itself was an enhanced version of Monster, a Delphi-based ransomware family tracked since March 2022. The developer behind all three variants is tracked under the moniker Hyadina.
GodDamn’s distinguishing capability is the use of PoisonX (filename: g11.sys), a kernel-mode driver signed with a legitimate Microsoft Hardware Compatibility signature. PoisonX was first documented in early 2026 when it was used to kill CrowdStrike Falcon by sending a crafted IOCTL to the driver’s undocumented interface. In GodDamn attacks, PoisonX terminates endpoint detection and response (EDR) and antivirus processes, then strips user-mode API hooks — effectively blinding the host to any subsequent attacker activity before the ransomware payload is deployed.
In one confirmed attack from early June 2026, GodDamn operators used AnyDesk for initial remote access and deployed a NirSoft-based credential-harvesting toolkit prior to lateral movement and encryption. The full report is available from The Hacker News and Dark Reading.
Why This Matters for Canadian Organizations
The Bring Your Own Vulnerable Driver (BYOVD) technique is not new — Canadian organizations first encountered it at scale with Qilin and BlackCat ransomware in 2025 — but GodDamn’s use of a driver carrying an active Microsoft Hardware Compatibility signature raises the severity level considerably. A signed driver presents as legitimate to the operating system, bypassing driver blocklist enforcement that many organizations rely on as a BYOVD defense. Microsoft’s driver signing process approved PoisonX despite it having no legitimate use, a failure that mirrors the process gap that allowed the July 2024 CrowdStrike incident and prior BYOVD campaigns.
For Canadian enterprises operating under OSFI B-13, the obligation to maintain “effective controls over operating system integrity” directly implicates kernel-level driver attacks. Organizations with mature endpoint security programs should verify that their EDR vendors have updated blocklists to include PoisonX (g11.sys) hash indicators. Firms relying solely on EDR as their ransomware detection layer need to understand that BYOVD attacks are designed specifically to remove that layer before the payload runs — by the time encryption begins, EDR is already blind.
AnyDesk appears as the initial access vector in this campaign. Canadian IT teams that permit AnyDesk or similar remote desktop tools without strict access controls, allowlisting, and session logging face elevated risk. The NirSoft toolkit used for credential harvesting is widely available and not malicious by itself — its use in attacks underscores the importance of behavioral detection over signature-based tooling.
What to Do
Check your EDR vendor’s threat intelligence feed for GodDamn and PoisonX indicators of compromise, including the g11.sys driver hash. Verify that your Windows Defender Vulnerable Driver Blocklist is current — Microsoft periodically updates this list via Windows Update and Defender signature releases. If your organization uses AnyDesk, audit active sessions and access policies; require MFA for all remote access tools and enable session logging to a central SIEM. Review your backup posture: GodDamn’s encryption-focused payload is designed to destroy data as a primary objective. Offline or immutable backups are the primary recovery mechanism when EDR-based detection fails. Report any indicators consistent with GodDamn activity to the CCCS.






