Back to Blog
high severity July 09, 2026 · scope unconfirmed

GodDamn Ransomware Uses PoisonX BYOVD Driver in Attacks

Researchers detailed a new ransomware family called GodDamn (a rebrand of Beast/Monster by the Hyadina developer), which employs the Microsoft-signed PoisonX kernel driver (BYOVD technique) to disable endpoint security software. It has been observed in attacks against US organizations using tools like AnyDesk and PsExec for lateral movement. The campaign highlights evolving ransomware evasion tactics.

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
GodDamn Ransomware Uses PoisonX BYOVD Driver in Attacks
Severity High
Disclosed July 09, 2026
Affected Unconfirmed
Data exposed corporate data

On July 9, 2026, researchers disclosed that a ransomware group known as GodDamn had begun using a Microsoft-signed kernel driver called PoisonX to disable security software on victim computers before encrypting corporate data.

Confirmed Attack Details

Confirmed Attack Details

Public reporting indicates the GodDamn ransomware is a rebrand of an earlier family known as Beast or Monster, developed by an individual or group referred to as Hyadina. The malware employs a Bring Your Own Vulnerable Driver technique by loading the legitimate but vulnerable PoisonX driver to terminate endpoint protection tools. Attackers have been observed using remote desktop applications such as AnyDesk and the legitimate administration tool PsExec to move laterally inside victim networks. The incidents have targeted organizations in the United States, although the exact number of victims and the volume of data taken remain unknown at this time. The campaign focuses on stealing corporate files before deploying the ransomware payload.

Why This Matters for You and Your Family

Why This Matters for You and Your Family

Even though the attacks described so far hit corporate networks, the data stolen often includes employee records, customer information, email addresses, and internal documents that can be traced back to individuals. When corporate data appears on dark-web leak sites, it frequently exposes personal details that criminals can link to your home address, phone number, or family members. Credential leaks from these incidents routinely surface weeks or months later on underground forums, giving other criminals the raw material they need to attempt account takeovers on personal email, banking, or social media accounts. For families this means one workplace breach can quietly create long-term exposure for everyone living at the same address.

The Doxxing and Identity-Chain Risk

Ransomware operators like GodDamn typically publish or sell the stolen data when ransom demands go unpaid. Once that information reaches broader criminal circles, it fuels doxxing chains: an email address from the corporate leak is matched to a username on a gaming platform, which is then tied to a phone number recovered from a separate breach, eventually revealing your full identity and location. These chains are especially dangerous for children’s gaming accounts, where loose privacy settings can let attackers connect a parent’s work email to a child’s Discord or Roblox handle. The result is not a single leaked password but a persistent map that criminals can exploit for harassment, identity theft, or targeted scams against your household.

GodDamn Group’s Known Activity

Public reporting attributes the GodDamn ransomware to the same developer behind the earlier Beast and Monster families. The group emerged in its current form after rebranding in 2026 and has focused on U.S. organizations. Its typical playbook begins with initial access gained through compromised credentials or remote desktop tools, followed by deployment of the PoisonX driver to neutralize antivirus software. After lateral movement with tools such as AnyDesk and PsExec, the actors exfiltrate corporate files and later encrypt systems. Extortion follows the now-standard model of threatening to publish stolen data on leak sites if payment is not made. Details on prior notable victims remain limited in early reporting.

What to do

  • Run a DoxxScan to map every link between your work emails, personal handles, phone numbers, and real identity, then complete the no-subscription cleanup of exposed records.
  • Rotate any password you used at the affected organization anywhere else it is reused, and switch on two-factor authentication through an authenticator app rather than SMS.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next leak that touches your family is flagged within hours instead of months.
  • Cover the household with DoxxScan family protection that extends to dependents and children’s gaming accounts, which often become the weakest link in doxxing chains after credential leaks like this one.
  • Let DoxxScan remediation specialists manage takedown requests across data brokers and leak sites on your behalf while you focus on securing accounts at home.

The incident shows that ransomware tactics continue to evolve faster than many corporate defenses, but the personal fallout can be limited if you act quickly on your own exposure. Start your DoxxScan trial today to gain continuous monitoring, AI-powered identity-chain mapping, and hands-on help from specialists who treat your family’s full digital footprint—including gaming accounts—as a single protection priority. Taking these steps now reduces the chance that today’s corporate breach becomes tomorrow’s family doxxing incident.

Sources: The Hacker News
Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.