Cybersecurity researchers have discovered a new data extortion group called Helix that has been targeting companies by using user credenti...
A ransomware group known as Hyadina has been observed using a Microsoft-signed Windows kernel driver to disable endpoint security software before deploying its latest ransomware variant, GodDamn, according to researchers at Symantec. The campaign combines trusted administrative software, publicly available offensive security tools and a signed kernel driver to establish control over victim environments before encrypting systems.
Hyadina has operated as a ransomware-as-a-service (RaaS) group for approximately four years, evolving its malware from earlier variants known as Beast and Monster to its current GodDamn locker. The group primarily targets organizations in the United States while reportedly avoiding victims in former Soviet countries. Previous attacks have affected organizations across healthcare, manufacturing, education and several other industries.
Symantec was unable to determine how the attackers initially gained access to the compromised environment. The first confirmed activity appeared on May 29, when an unauthorized copy of AnyDesk was discovered inside the Music folder of an infected system. Although AnyDesk is legitimate remote access software widely used for IT support, threat actors frequently abuse remote monitoring and management applications because they provide persistent access while blending into normal administrative activity.
The following day, the attackers deployed an executable named symantec.exe, which installed a kernel-mode driver called PoisonX. Running in the Windows kernel gives a driver the highest level of system privileges, allowing it to interact directly with core operating system functions. According to Symantec, PoisonX carried a valid Microsoft Hardware Compatibility signature, enabling Windows to load the driver as trusted.
Once active, PoisonX terminated security-related processes and removed user-mode API hooks commonly used by endpoint detection and response (EDR) solutions to monitor application behavior. By disabling those monitoring mechanisms, the attackers reduced the visibility of security software before carrying out the remaining stages of the intrusion.
With endpoint protections weakened, Hyadina expanded its operation using a collection of credential theft and reconnaissance utilities. Investigators observed fourteen open-source tools designed to recover credentials from web browsers, email clients and instant messaging applications, as well as utilities capable of extracting Wi-Fi credentials and capturing live network traffic. All but one of those tools originated from NirSoft, which publishes legitimate Windows administration utilities. The remaining tool, Mimikatz, is widely known for extracting credentials and authentication material from Windows systems and is frequently abused during post-compromise activity.
The attackers also relied on PsExec, Microsoft's remote administration utility, to move laterally across the victim's network. Combined with legitimate remote management software, credential theft utilities and the signed kernel driver, the attackers were able to strengthen their foothold across multiple systems before deploying the GodDamn ransomware payload.
Symantec also examined the origins of PoisonX. The driver was uploaded to GitHub on April 7 by a developer using the name oxfemale, who described it as a research tool. The developer regularly publishes offensive security projects, including exploit proof-of-concepts, credential stealers and software designed to disable antivirus products, while identifying themselves on LinkedIn as a Russian security researcher specializing in reverse engineering and penetration testing. Symantec, however, considers PoisonX to be malware because its primary function is to disable security protections rather than support legitimate defensive research. Researchers said it remains unclear how the driver obtained Microsoft's Hardware Compatibility signature or whether the signing process was manipulated.
Microsoft maintains a Vulnerable Driver Blocklist to prevent known malicious or exploitable drivers from loading, even when they possess valid signatures. However, Symantec noted that newly identified drivers are not added to the blocklist immediately. Updates can take days or, in some cases, weeks to reach enterprise systems, leaving a window during which attackers can continue using newly signed or newly discovered drivers before defensive protections are updated.
Commenting on the broader use of legitimate software during ransomware intrusions, Symantec's Brigid O Gorman noted that nearly any administrative or security tool can become malicious when misused. She said this makes behavioral and adaptive security controls particularly important because they focus on suspicious activity rather than relying solely on known malicious files or applications. In the case of Hyadina, that combination of trusted software, publicly available offensive tools and a signed kernel driver enabled the attackers to disable security protections, steal credentials, move laterally through the environment and ultimately deploy ransomware.