Hosts Ambushed Before Their Digital Vaults Lock

GodDamn Ransomware’s Secret Weapon: A Microsoft‑Signed Driver That Turns Windows Defender Into a Sitting Duck

Four years, dozens of victims, and a brand‑new way to kill endpoint security — all wrapped up in a tidy, Microsoft‑signed package. The ransomware known as GodDamn (aka the work of the Hyadina group) just pulled a rabbit out of its kernel: a driver called PoisonX that masquerades as a legitimate Windows component, gets a shiny Microsoft signature, and then proceeds to blind every security tool on the compromised machines. This isn't a typo; it's a full‑blown BYOD (Bring Your Own Vulnerable Driver) gone rogue, and it's as terrifying as it sounds.

The PoisonX Driver: A Kernel‑Level Assassin With a Microsoft Seal of Approval

When a ransomware operator wants to shut down your antivirus without raising alarms, they need something more powerful than a clever script. They need code that runs at Ring 0 — the highest privilege level on Windows — and can yank the security processes out of the system's own memory. That's exactly what PoisonX does. Stored on disk as g11.sys (SHA‑256: 2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d), the driver is dropped into the system driver store, registered as a service, and loaded straight into the kernel.

Once loaded, PoisonX strips away the kernel callbacks that Endpoint Detection and Response (EDR) tools rely on to receive event notifications. The dashboards stay green; the software thinks it's still in control. In reality, it's gone blind — because a Ring 0 process can terminate anything in Ring 3 without asking permission. In other words, your security suite is now a paper tiger fighting a dragon that lives under the hood.

Why Your Endpoint Security Cannot Stop PoisonX Once It Loads

Windows splits execution into privilege rings. User‑mode applications — think browsers, Office, or the UI of a security product — run in Ring 3. They can only touch their own memory and must request privileged actions from the kernel. The kernel itself runs in Ring 0, with unconditional access to all memory and hardware, and the ability to terminate any process.

EDR products protect themselves with a feature called Protected Process Light, which prevents a user‑mode admin from killing them. But tamper protection lives in Ring 3. A Ring 0 driver doesn't need permission; it can directly reach into the memory space of a security process and shut it down. That's precisely what PoisonX does the moment it loads.

Because the driver operates in kernel space, traditional antivirus signatures, heuristics, and even behavioral blockers that rely on user‑mode detection become useless. The only way to stop it is to intervene at a layer below the kernel — hence the need for HVCI, WDAC, and other deep‑watch mechanisms.

Microsoft Signed PoisonX: What the Signature Actually Means

The most unsettling part of Symantec's July 9 2026 disclosure isn't that PoisonX exists — it's that it carries a valid "Microsoft Windows Hardware Compatibility Publisher" signature. In plain English: Microsoft's own driver‑signing program processed and signed this malicious driver.

As Symantec researcher Brigid O'Gorman bluntly put it:

"it is easy to say that yes, it shouldn't have been signed by Microsoft. However, we do not know the steps taken by the attackers to get the driver signed or how they might have tricked Microsoft into doing so."

What this reveals is a structural gap in the trust model. The signing program verifies publisher identity and runs compatibility tests, but it does **not** analyze driver behavior or scan for malicious IOCTL interfaces. A developer who successfully passes identity verification can submit a driver framed as a "research tool," and the system will grant a signature even if the driver's sole purpose is to terminate antivirus processes.

PoisonX's author, who goes by the GitHub alias "oxfemale" and lists a Russian security‑researcher profile on LinkedIn, originally posted the driver on April 7 2026, describing it as a "research tool." Symantec's stance is crystal‑clear: the driver has **no legitimate use case**. Within weeks, it was weaponized by the Hyadina group and folded into the GentleKiller toolkit used by the ransomware‑as‑a‑service operation known as The Gentlemen, which had already claimed 478 victims across more than 70 countries by June 2026.

Four Days to Chaos: The GodDamn Attack Timeline Unraveled

Symantec dissected a full intrusion that unfolded from May 29 to June 3 2026. The attackers didn't smash the network; they staged a calculated, four‑day infiltration that began with an unknown initial access vector — no phishing email or exploit was ever identified.

The first concrete sign of trouble appeared on May 29, when an AnyDesk remote‑desktop binary surfaced in a user's Music folder on Computer 1 — an odd location for an IT‑approved tool. The process opened outbound connections to unknown IP addresses, hinting at a foothold already in place.

On May 30, the operators staged symantec.exe (named, perhaps ironically, after Symantec) in the same Music folder. This executable dropped PoisonX into the driver store as g11.sys. Simultaneously, a 14‑tool credential‑harvesting kit appeared in a user profile subdirectory. Thirteen of those tools came from NirSoft, a legitimate Windows utilities site; the fourteenth was Mimikatz. Together they scraped credentials from browsers, Windows Credential Manager, cached domain logins, VNC sessions, email clients, Wi‑Fi profiles, and live network traffic.

By June 2, the attackers used PsExec to pivot laterally and install AnyDesk as a registered Windows autostart service on at least 10 hosts. After each installation, they terminated the AnyDesk process, waited briefly, and rebooted the machine — ensuring a persistent remote‑access foothold that survived restarts.

On June 3, the encryption payload finally emerged on a separate network segment. The binary — encrypter-windows-gui-x86.exe — was dropped from the user's Downloads or Music folder and renamed encrypted files using the victim organization's own name as the file extension (rather than the usual .God8Damn suffix). This subtle tweak helped the payload evade simple extension‑based detection.

BYOVD Is No Longer a Specialized Technique: It Has Become Standard Criminal Infrastructure

The strategy GodDamn employs has a name in the security industry: Bring Your Own Vulnerable Driver (BYOVD). Historically, BYOVD attacks exploit a legitimate but flawed signed driver — a graphics utility, an anti‑cheat module, a hardware monitor — and leverage its weaknesses to reach Ring 0.

Groups like BlackByte, AvosLocker, Lazarus, Qilin, Warlock, and DeadLock have all tried BYOVD, typically by exploiting a flaw in an existing driver. PoisonX flips the script: instead of hijacking a flawed driver, the attackers created a **malicious driver that passed Microsoft's signing process**. There is no flaw to patch; the driver does exactly what its author intended — kill security software.

Researchers at ESET discovered in March 2026 that 54 distinct EDR‑killer tools now abuse 35 signed vulnerable drivers. The lag between a driver being identified and added to the Vulnerable Driver Blocklist can be days or even weeks, giving attackers a narrow window to weaponize the driver before it's blocked.

This timing gap is the Achilles' heel of modern endpoint protection. As the Symantec report bluntly states:

"There is a lag of days, more often weeks, between a driver being identified and the blocklist update reaching enterprise endpoints. This means that only a subset of known vulnerable drivers is blocklisted at any given time, and unfortunately, attackers often move quicker than the blocklist."

Until vendors can close that gap, defenders must rely on controls that operate independently of signature‑based blocklists.

How Attackers Got Around the Blocklist Lag

Because the blocklist updates only through Windows feature releases (roughly once or twice a year), a newly weaponized driver can stay "valid" for weeks. Microsoft's driver‑signing program does not perform behavioral analysis, so a driver that looks legitimate on paper can be approved and later repurposed for malicious ends.

The only practical mitigation is to block driver loading at the kernel level, enforce code‑integrity policies, and monitor driver‑installation events — methods that we'll explore in the next section.

What Security Teams Can Do Right Now

Endpoint protection is still valuable, but it can't be the **sole** line of defense when a BYOVD attack can blind it. Below is a practical, step‑by‑step playbook that works even if the attacker has already signed a malicious driver.

HVCI: The Hypervisor‑Protected Code Integrity Lifesaver

Hypervisor‑Protected Code Integrity (HVCI) moves code‑integrity enforcement into the hypervisor — a layer below Ring 0. When enabled, it can block any kernel‑mode driver that hasn't been explicitly allowed, even if that driver carries a valid Microsoft signature. HVCI is turned on by default for most new Windows 11 devices, but it can be activated via Windows Security → Device Security → Core Isolation → Enable Memory Integrity. For enterprises where it's still off, flip the switch as a top priority.

WDAC: Windows Defender Application Control to Block Unauthorized Drivers

WDAC (Windows Defender Application Control) policies can prevent unauthorized driver loading before a malicious driver ever reaches the kernel. Microsoft publishes recommended driver‑block rules in an XML policy that can be downloaded and applied without waiting for a Patch Tuesday update. By whitelisting only signed, trusted drivers, you create a gate that stops PoisonX dead in its tracks.

Behavioral Detection Before the Driver Loads

Symantec's researchers put the emphasis on "behavioral and adaptive protection." Look for anomalies like:

  • AnyDesk or other remote‑management tools appearing in non‑standard directories (e.g., a user's Music folder).
  • New Windows services of type "kernel driver" popping up outside regular patch cycles.
  • Kernel‑mode drivers (.sys files) landing in user‑writable folders instead of System32drivers.

Tools like Sysmon can be configured to fire Event ID 6 on driver load events, and Windows Code Integrity logs Event ID 3077 when a blocklisted driver is denied. Monitoring these events gives you an early warning that doesn't require knowing the exact driver name in advance.

Air‑Gapped or Immutable Backups: The Last Line of Defense

If a BYOVD attack reaches ten hosts and successfully blinds all of them before encryption begins, your detection‑and‑response game is already lost. Recovery then hinges on backups that the attacker cannot reach from a compromised domain controller. Keep at least one backup **air‑gapped** or **immutable**, and test restores regularly — because the only thing worse than being breached is being unable to recover.

⚡️ Stop the Poison: Bulletproof Playbook

Here are five quick‑and‑dirty actions you can take right now to keep the PoisonX driver from turning your endpoints into sitting ducks:

  • Enable Memory Integrity (HVCI) on every Windows 10/11 endpoint — no exceptions.
  • Deploy WDAC driver‑block rules using Microsoft's official XML policy; update weekly.
  • Configure Sysmon Event ID 6 alerts for any .sys file dropped outside System32drivers.
  • Watch for rogue services named "kernel driver" in non‑standard locations; quarantine immediately.
  • Back up, then unplug your backup storage from the production network — make it immutable if possible.

Follow this checklist, and you'll turn the tables on attackers who think a Microsoft signature makes them untouchable.

Final Verdict: The Bottom Line

Cyber‑criminals have turned a **legitimate Microsoft signing process** into a weapon that can silently neuter every endpoint security tool on a network. The GodDamn ransomware campaign proves that a four‑year‑old threat actor can keep evolving, adding a kernel‑level assassin that slips past traditional defenses. The gap isn't a bug in Microsoft's code; it's a design choice that only checks identity, not intent.

What does that mean for you? It means you can't rely on signatures alone. You need to lock down the kernel with HVCI, enforce strict WDAC policies, and monitor driver‑load events in real time. In short, the only way to survive a PoisonX‑style attack is to treat the kernel as a hostile zone and fortify it from below.

Stay vigilant, keep your defenses layered, and remember: the next time you see a driver signed by Microsoft, ask yourself — is it really safe, or is it just a Trojan horse in a shiny coat?

If you found this breakdown useful, hit the share button, drop a comment with your own hardening tips, and — most importantly — go enable 2FA on every account you own. Because the only thing worse than a ransomware infection is watching it happen while you're still scrolling past the warning.

Stay safe, stay paranoid, and keep those kernels locked down.

Loading neon eBay deals...

Scroll to Top