GodDamn Ransomware Uses PoisonX BYOVD Driver in Attacks
Researchers detailed a new ransomware family called GodDamn (a rebrand of Beast/Monster by the Hyadina developer), which employs the Microsoft-signed PoisonX kernel driver (BYOVD technique) to disable endpoint security software. It has been observed in attacks against US organizations using tools like AnyDesk and PsExec for lateral movement. The campaign highlights evolving ransomware evasion tactics.
On July 9, 2026, researchers disclosed that a ransomware group known as GodDamn had begun using a Microsoft-signed kernel driver called PoisonX to disable security software on victim computers before encrypting corporate data.
Confirmed Attack Details
Public reporting indicates the GodDamn ransomware is a rebrand of an earlier family known as Beast or Monster, developed by an individual or group referred to as Hyadina. The malware employs a Bring Your Own Vulnerable Driver technique by loading the legitimate but vulnerable PoisonX driver to terminate endpoint protection tools. Attackers have been observed using remote desktop applications such as AnyDesk and the legitimate administration tool PsExec to move laterally inside victim networks. The incidents have targeted organizations in the United States, although the exact number of victims and the volume of data taken remain unknown at this time. The campaign focuses on stealing corporate files before deploying the ransomware payload.
Why This Matters for You and Your Family
Even though the attacks described so far hit corporate networks, the data stolen often includes employee records, customer information, email addresses, and internal documents that can be traced back to individuals. When corporate data appears on dark-web leak sites, it frequently exposes personal details that criminals can link to your home address, phone number, or family members. Credential leaks from these incidents routinely surface weeks or months later on underground forums, giving other criminals the raw material they need to attempt account takeovers on personal email, banking, or social media accounts. For families this means one workplace breach can quietly create long-term exposure for everyone living at the same address.
The Doxxing and Identity-Chain Risk
Ransomware operators like GodDamn typically publish or sell the stolen data when ransom demands go unpaid. Once that information reaches broader criminal circles, it fuels doxxing chains: an email address from the corporate leak is matched to a username on a gaming platform, which is then tied to a phone number recovered from a separate breach, eventually revealing your full identity and location. These chains are especially dangerous for children’s gaming accounts, where loose privacy settings can let attackers connect a parent’s work email to a child’s Discord or Roblox handle. The result is not a single leaked password but a persistent map that criminals can exploit for harassment, identity theft, or targeted scams against your household.
GodDamn Group’s Known Activity
Public reporting attributes the GodDamn ransomware to the same developer behind the earlier Beast and Monster families. The group emerged in its current form after rebranding in 2026 and has focused on U.S. organizations. Its typical playbook begins with initial access gained through compromised credentials or remote desktop tools, followed by deployment of the PoisonX driver to neutralize antivirus software. After lateral movement with tools such as AnyDesk and PsExec, the actors exfiltrate corporate files and later encrypt systems. Extortion follows the now-standard model of threatening to publish stolen data on leak sites if payment is not made. Details on prior notable victims remain limited in early reporting.
What to do
- Run a DoxxScan to map every link between your work emails, personal handles, phone numbers, and real identity, then complete the no-subscription cleanup of exposed records.
- Rotate any password you used at the affected organization anywhere else it is reused, and switch on two-factor authentication through an authenticator app rather than SMS.
- Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next leak that touches your family is flagged within hours instead of months.
- Cover the household with DoxxScan family protection that extends to dependents and children’s gaming accounts, which often become the weakest link in doxxing chains after credential leaks like this one.
- Let DoxxScan remediation specialists manage takedown requests across data brokers and leak sites on your behalf while you focus on securing accounts at home.
The incident shows that ransomware tactics continue to evolve faster than many corporate defenses, but the personal fallout can be limited if you act quickly on your own exposure. Start your DoxxScan trial today to gain continuous monitoring, AI-powered identity-chain mapping, and hands-on help from specialists who treat your family’s full digital footprint—including gaming accounts—as a single protection priority. Taking these steps now reduces the chance that today’s corporate breach becomes tomorrow’s family doxxing incident.
Related breaches
Match Group (Tinder, Hinge, OkCupid) Data Breach — January 2026
ShinyHunters claimed responsibility for stealing over 10 million Match Group user records in early 2…
Crunchbase Massive Personal Records Leak — January 2026
ShinyHunters exfiltrated approximately 2 million records from the business-intelligence platform Cru…
Brightspeed Fiber Broadband Incident — January 2026
Crimson Collective ransomware group allegedly stole personal data of over 1 million Brightspeed cust…
A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.
⚠ Were you in this breach?
Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.
Check my email — free →