GodDamn ransomware PoisonX BYOVD activity
Malware Activity
Summary
Hide ▲
Show ▼
The GodDamn ransomware family is using the PoisonX kernel driver to disable endpoint defenses during attacks, increasing the risk of credential theft, lateral movement, and ransomware deployment on targeted Windows hosts. The activity was first publicly observed on May 21, 2026 and later tied to an early June 2026 intrusion. Attackers used AnyDesk for remote access, a NirSoft-based credential harvester, and PsExec before installing ransomware and defense-evasion tooling. One deployment sequence was repeated across at least 10 hosts, showing a reusable intrusion workflow.
Related Happenings
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Medusa ransomware post-compromise deployment
Malware Activity
H score48
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Storm-1175 high-velocity exploit campaign
Campaign
H score59
First: 06.04.2026 19:56
Last: 06.04.2026 19:56
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-1175 high-velocity exploit campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Google Ads tax-search ScreenConnect malvertising campaign
Campaign
H score32
First: 24.03.2026 19:05
Last: 24.03.2026 19:05
Sources 1
About this happening:
A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Google Ads tax-search ScreenConnect malvertising campaign
CampaignAbout this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Reynolds side-loaded-loader and GotoHTTP ransomware campaign
Campaign
H score37
First: 10.02.2026 16:36
Last: 10.02.2026 16:36
Sources 1
About this happening:
The **Reynolds** ransomware operation now shows **pre-deployment staging** and **post-deployment access tooling**, increasing the likelihood of persistent compromise on the target...
Reynolds side-loaded-loader and GotoHTTP ransomware campaign
CampaignAbout this happening: The **Reynolds** ransomware operation now shows **pre-deployment staging** and **post-deployment access tooling**, increasing the likelihood of persistent compromise on the target...
Timeline
-
09.07.2026 13:43 1 articles · 10h ago
GodDamn ransomware is first publicly spotted
Initial DisclosureGodDamn ransomware is first publicly spotted in the wild on May 21, 2026 and is assessed as a rebrand of Beast ransomware, which traces back to Monster.
Show sources
- GodDamn Ransomware Uses PoisonX Driver to Disable Endpoint Defenses — thehackernews.com — 09.07.2026 13:43
-
09.07.2026 13:43 2 articles · 10h ago
GodDamn operators deploy AnyDesk, PsExec, and PoisonX across targeted hosts
Technical Analysis UpdateDuring an early June 2026 intrusion, the operators use AnyDesk for remote access, PsExec for lateral movement, a NirSoft-based credential harvester, and the PoisonX kernel driver alongside a fake symantec.exe component to disable endpoint defenses; by the end of June 2, the deployment sequence has been repeated across at least 10 hosts within the targeted organization.
Show sources
- GodDamn Ransomware Uses PoisonX Driver to Disable Endpoint Defenses — thehackernews.com — 09.07.2026 13:43
- GodDamn Ransomware Uses PoisonX Driver to Disable Endpoint Defenses — thehackernews.com — 09.07.2026 13:43
-
09.07.2026 13:43 1 articles · 10h ago
GodDamn ransomware is detected on a separate network segment
Victim Impact UpdateGodDamn ransomware is first detected on June 3, 2026 on a separate network segment associated with a distinct organizational unit, and the files on those systems are renamed with the victim's name as the extension instead of .God8Damn.
Show sources
- GodDamn Ransomware Uses PoisonX Driver to Disable Endpoint Defenses — thehackernews.com — 09.07.2026 13:43