A ransomware group known as Hyadina has been observed using a Microsoft-signed Windows kernel driver to disable endpoint security software before deploying its latest ransomware variant, GodDamn, according to researchers at Symantec. The campaign combines trusted administrative software, publicly available offensive security tools and a signed kernel driver to establish control over victim environments before encrypting systems.
Hyadina has operated as a ransomware-as-a-service (RaaS) group for approximately four years, evolving its malware from earlier variants known as Beast and Monster to its current GodDamn locker. The group primarily targets organizations in the United States while reportedly avoiding victims in former Soviet countries. Previous attacks have affected organizations across healthcare, manufacturing, education and several other industries.
Symantec was unable to determine how the attackers initially gained access to the compromised environment. The first confirmed activity appeared on May 29, when an unauthorized copy of AnyDesk was discovered inside the Music folder of an infected system. Although AnyDesk is legitimate remote access software widely used for IT support, threat actors frequently abuse remote monitoring and management applications because they provide persistent access while blending into normal administrative activity.
The following day, the attackers deployed an executable named symantec.exe, which installed a kernel-mode driver called PoisonX. Running in the Windows kernel gives a driver the highest level of system privileges, allowing it to interact directly with core operating system functions. According to Symantec, PoisonX carried a valid Microsoft Hardware Compatibility signature, enabling Windows to load the driver as trusted.
Once active, PoisonX terminated security-related processes and removed user-mode API hooks commonly used by endpoint detection and response (EDR) solutions to monitor application behavior. By disabling those monitoring mechanisms, the attackers reduced the visibility of security software before carrying out the remaining stages of the intrusion.
With endpoint protections weakened, Hyadina expanded its operation using a collection of credential theft and reconnaissance utilities. Investigators observed fourteen open-source tools designed to recover credentials from web browsers, email clients and instant messaging applications, as well as utilities capable of extracting Wi-Fi credentials and capturing live network traffic. All but one of those tools originated from NirSoft, which publishes legitimate Windows administration utilities. The remaining tool, Mimikatz, is widely known for extracting credentials and authentication material from Windows systems and is frequently abused during post-compromise activity.
The attackers also relied on PsExec, Microsoft's remote administration utility, to move laterally across the victim's network. Combined with legitimate remote management software, credential theft utilities and the signed kernel driver, the attackers were able to strengthen their foothold across multiple systems before deploying the GodDamn ransomware payload.
Symantec also examined the origins of PoisonX. The driver was uploaded to GitHub on April 7 by a developer using the name oxfemale, who described it as a research tool. The developer regularly publishes offensive security projects, including exploit proof-of-concepts, credential stealers and software designed to disable antivirus products, while identifying themselves on LinkedIn as a Russian security researcher specializing in reverse engineering and penetration testing. Symantec, however, considers PoisonX to be malware because its primary function is to disable security protections rather than support legitimate defensive research. Researchers said it remains unclear how the driver obtained Microsoft's Hardware Compatibility signature or whether the signing process was manipulated.
Microsoft maintains a Vulnerable Driver Blocklist to prevent known malicious or exploitable drivers from loading, even when they possess valid signatures. However, Symantec noted that newly identified drivers are not added to the blocklist immediately. Updates can take days or, in some cases, weeks to reach enterprise systems, leaving a window during which attackers can continue using newly signed or newly discovered drivers before defensive protections are updated.
Commenting on the broader use of legitimate software during ransomware intrusions, Symantec's Brigid O Gorman noted that nearly any administrative or security tool can become malicious when misused. She said this makes behavioral and adaptive security controls particularly important because they focus on suspicious activity rather than relying solely on known malicious files or applications. In the case of Hyadina, that combination of trusted software, publicly available offensive tools and a signed kernel driver enabled the attackers to disable security protections, steal credentials, move laterally through the environment and ultimately deploy ransomware.
Nearly seven million people are being notified after a cyberattack on Atlanta-based auto insurer AssuranceAmerica exposed highly sensitive personal information, including driver's license numbers, Social Security numbers and insurance records, raising concerns about long-term identity theft risks.
According to the company's breach notice and filings submitted to state regulators, the incident began on March 16, 2026, when a threat actor gained unauthorized access to AssuranceAmerica's internal network using compromised employee credentials obtained through a phishing attack. The company detected suspicious activity the following day, secured the affected systems, and launched a forensic investigation to determine the scope of the compromise.
The investigation later revealed that the attackers had copied files containing personal information belonging to approximately 6.99 million individuals. The exposed data varies by person but may include names, residential addresses, driver's license numbers, Social Security numbers, taxpayer identification numbers, insurance policy and account details, claims information, as well as driver and vehicle records.
The scale of the breach makes it one of the larger disclosures involving government-issued identity documents this year. South Carolina alone reported that 611,046 residents may have been affected, according to the state's Department of Consumer Affairs.
Unlike passwords, driver's license numbers are not easily replaced after they are exposed. These identifiers are widely used to verify identity across banks, insurers, vehicle rental companies, government agencies and financial institutions. When combined with Social Security numbers and other personally identifiable information, they can enable criminals to apply for loans, open fraudulent accounts, submit false tax returns or impersonate victims during identity verification processes.
Law firm Edelson Lechtzin LLP, which announced an investigation into the incident, warned that the compromised information could be used to facilitate identity theft and other forms of financial fraud.
Although AssuranceAmerica identified the intrusion within roughly 24 hours, affected individuals were not notified until late June after investigators completed their review of the compromised data on June 15. The nearly three-month gap between the initial breach and customer notifications has drawn attention to the time required to determine exactly whose information had been accessed before notifications could be issued.
In its public notice, AssuranceAmerica said it disabled the compromised accounts, reset credentials, strengthened network monitoring and provided additional cybersecurity awareness training to employees. The company also engaged external forensic specialists to investigate the incident. However, it has not publicly confirmed whether all affected individuals will receive complimentary credit monitoring or identity protection services.
The AssuranceAmerica breach comes amid a growing number of incidents involving government-issued identity documents. In June, Texas disclosed a separate cyberattack affecting approximately three million driver's license and passport records maintained by the Texas Parks and Wildlife Department, adding to a broader trend of organizations reporting the theft of sensitive identification data.
The growing reliance on digital identity verification has also increased the amount of personal identification collected by businesses and online platforms. As governments and private organizations increasingly require users to upload driver's licenses and other official documents for account verification and age checks, cybersecurity experts warn that breaches involving these records can have lasting consequences because many of these identifiers cannot be easily changed once exposed.
Individuals who may have been affected are encouraged to closely review financial and insurance accounts for suspicious activity, consider placing a credit freeze or fraud alert with the major credit bureaus, monitor their credit reports for unauthorized accounts and remain cautious of phishing emails or phone calls that attempt to exploit information exposed during the breach. Victims should also follow guidance issued by their state consumer protection agencies and promptly report any suspected identity theft.
The Coca-Cola Company has revealed that a ransomware attack targeting its Fairlife dairy business has temporarily disrupted production across the United States after threat actors gained unauthorized access to company systems, including those supporting manufacturing operations.
The incident was disclosed in a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC), a regulatory filing used by publicly traded companies to report significant corporate events. According to Coca-Cola, the cyberattack affected certain Fairlife systems, including production-related infrastructure, prompting the company to temporarily suspend manufacturing at its U.S. facilities while recovery efforts are underway.
Upon detecting the unauthorized activity, Coca-Cola said it immediately activated its incident response and business continuity protocols to contain the incident and minimize operational disruption. The company has engaged external cybersecurity advisors and experts to support its investigation and recovery efforts, while law enforcement has also been notified.
Although manufacturing operations have been interrupted, Coca-Cola emphasized that the ransomware attack has not affected the quality or safety of Fairlife products. The temporary production halt is part of the company's response as it works to restore impacted systems and verify operational readiness before resuming normal manufacturing activities. Fairlife's Canadian production facilities continue to operate normally and have not been affected by the incident.
The company said its investigation remains ongoing and that it is continuing to assess both the nature of the attack and its potential business impact. At this stage, Coca-Cola has not determined whether the incident is reasonably likely to have a material effect on the company's financial condition or overall operations.
Fairlife is one of Coca-Cola's dairy brands and manufactures a range of ultra-filtered milk products, protein shakes and nutrition beverages sold across the United States. Its product portfolio includes Ultra-Filtered Milk, Core Power Protein Shakes and Nutrition Plan.
Several aspects of the incident remain undisclosed. Coca-Cola has not confirmed whether attackers exfiltrated any data during the intrusion, whether the company has received an extortion demand or which ransomware operation may be responsible for the attack. As of publication, no known ransomware group has publicly claimed responsibility for the incident.
Ransomware attacks increasingly target organizations' operational environments in addition to traditional corporate networks, as disrupting production can exponentially multiply pressure on victims during recovery efforts. Many modern ransomware operations also employ double-extortion tactics by stealing sensitive information before encrypting systems and later threatening to publish the stolen data unless a ransom is paid. However, Coca-Cola has not indicated that any data theft occurred in this incident, and there is currently no public evidence confirming that attackers exfiltrated information from Fairlife's systems.
When asked whether data had been stolen, whether the company had received an extortion demand or which ransomware group may have been behind the attack, a Coca-Cola spokesperson declined to provide additional details beyond the company's public statement.
Coca-Cola continues to restore affected systems while its investigation remains ongoing, with U.S. Fairlife production expected to resume once recovery efforts are completed and manufacturing systems have been safely brought back online.
Dutch authorities have arrested multiple suspects as part of an international investigation into an alleged investment fraud network that investigators believe defrauded victims worldwide through fake online investment schemes, with the operation at one point generating more than €100 million in monthly proceeds.
According to the Dutch Police, the criminal organization is suspected of operating an extensive network of approximately 20 call centers staffed by more than 700 individuals who allegedly posed as professional financial advisers. Investigators said the operation targeted victims across multiple countries, with teams assigned to specific regions and responsibilities to maximize the effectiveness of the fraudulent campaigns.
The investigation's primary suspect, a 46-year-old dual Israeli-Polish national, was arrested in Poland on May 26 before being extradited to the Netherlands, where he has been placed in pre-trial detention. Dutch authorities allege that he played a central technical role in building and maintaining the infrastructure that enabled the organization to conduct its activities while making it more difficult for law enforcement agencies to identify those involved.
Police also noted that publicly available information indicates the suspect had previously faced prosecution in connection with cyberattacks targeting several foreign government organizations. Authorities now believe he occupied an indispensable position within the investment fraud network.
The investigation expanded further between July 7 and July 10, when law enforcement officers arrested several Dutch and Belgian nationals in Cyprus, Greece, and Belgium for their suspected involvement in the scheme. Officials said the investigation remains active and additional arrests are possible as authorities continue to identify other members of the organization.
Investigators describe the alleged operation as a highly organized criminal enterprise that functioned similarly to a legitimate international business. Multiple call centers reportedly operated under centralized coordination while individual teams focused on victims in different countries. Employees allegedly used false identities, pseudonyms, and technical measures designed to conceal both their real identities and their physical locations during communications with potential victims.
According to investigators, the fraud relied heavily on long-term social engineering rather than immediate financial deception. Victims were first approached by individuals presenting themselves as experienced investment advisers who gradually established trust through repeated conversations. Once that trust had been developed, victims were encouraged to invest relatively small amounts through professional-looking online investment platforms that appeared to display genuine market activity and growing returns.
Authorities said these platforms did not reflect legitimate investments. Instead, the displayed profits were fabricated to create the impression of successful trading and encourage victims to continue depositing larger sums. Many of the payments were made using cryptocurrency, making it incredibly more difficult to recover stolen funds after they had been transferred. While victims believed their portfolios were increasing in value, investigators said the money was instead diverted directly to the criminal organization.
Dutch investigators have linked at least 550 fraud reports and approximately €25 million in reported losses in the Netherlands to the organization. Belgian authorities have also connected around 200 complaints to the same network. Police believe these figures represent only a fraction of the total impact, estimating that the operation may have claimed tens of thousands of victims globally, with many individuals losing more than €10,000 each.
Authorities believe the organization has been active since at least 2021 and employed sophisticated operational security practices to avoid detection. Investigators said members routinely relied on pseudonyms, concealed calling locations, and other technical methods to obscure their identities while communicating with victims.
The investigation ultimately progressed after authorities traced digital evidence, including IP addresses, financial transaction routes, and other forensic artifacts that helped identify critical infrastructure associated with the operation. The examination of technical equipment provided investigators with additional insight into how the organization functioned and helped establish the locations of several suspects.
Dutch Police said the investigation was conducted in cooperation with international law enforcement partners, while commercial service providers also assisted in disrupting elements of the group's digital infrastructure. Authorities emphasized that efforts to identify additional suspects and victims remain ongoing.
Police have also warned the public to remain cautious of so-called recovery services that claim they can retrieve money lost to investment scams. Investigators noted that, in some cases, such offers are themselves fraudulent attempts to exploit victims a second time by demanding additional payments under the false promise of recovering stolen funds.