Find notable cyber news and cases, enriched with sources, timelines, and signals.

GodDamn ransomware PoisonX BYOVD activity

Malware Activity
First reported
Last updated
Happening score
H score 15
1 unique sources, 1 articles

Summary

Hide ▲

The GodDamn ransomware family is using the PoisonX kernel driver to disable endpoint defenses during attacks, increasing the risk of credential theft, lateral movement, and ransomware deployment on targeted Windows hosts. The activity was first publicly observed on May 21, 2026 and later tied to an early June 2026 intrusion. Attackers used AnyDesk for remote access, a NirSoft-based credential harvester, and PsExec before installing ransomware and defense-evasion tooling. One deployment sequence was repeated across at least 10 hosts, showing a reusable intrusion workflow.

Related Happenings

Major U.S. services company hit by ransomware attack linked to DragonForce

Incident
H score38 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...

Medusa ransomware post-compromise deployment

Malware Activity
H score48 First: 07.04.2026 09:35 Last: 07.04.2026 09:35 Sources 1

About this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...

Storm-1175 high-velocity exploit campaign

Campaign
H score59 First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

Google Ads tax-search ScreenConnect malvertising campaign

Campaign
H score32 First: 24.03.2026 19:05 Last: 24.03.2026 19:05 Sources 1

About this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...

Reynolds side-loaded-loader and GotoHTTP ransomware campaign

Campaign
H score37 First: 10.02.2026 16:36 Last: 10.02.2026 16:36 Sources 1

About this happening: The **Reynolds** ransomware operation now shows **pre-deployment staging** and **post-deployment access tooling**, increasing the likelihood of persistent compromise on the target...

Timeline

  1. 09.07.2026 13:43 2 articles · 10h ago

    GodDamn operators deploy AnyDesk, PsExec, and PoisonX across targeted hosts

    Technical Analysis Update

    During an early June 2026 intrusion, the operators use AnyDesk for remote access, PsExec for lateral movement, a NirSoft-based credential harvester, and the PoisonX kernel driver alongside a fake symantec.exe component to disable endpoint defenses; by the end of June 2, the deployment sequence has been repeated across at least 10 hosts within the targeted organization.

    Show sources
  2. 09.07.2026 13:43 1 articles · 10h ago

    GodDamn ransomware is detected on a separate network segment

    Victim Impact Update

    GodDamn ransomware is first detected on June 3, 2026 on a separate network segment associated with a distinct organizational unit, and the files on those systems are renamed with the victim's name as the extension instead of .God8Damn.

    Show sources