A Microsoft-Approved Driver Is Helping 'GodDamn' Ransomware Gut US Security Tools
A rebranded criminal gang called Hyadina is using a signed Windows driver to kill antivirus software before locking victims' files. The driver carries a legitimate Microsoft stamp, and nobody knows quite how that happened.

Key points
- Hyadina, a ransomware group active for roughly four years, rebranded in 2025 and is now deploying a new file-locking program called GodDamn against US organisations.
- A malicious driver called PoisonX, published to GitHub on 7 April 2025, carries an authentic Microsoft signature that lets it run at the deepest level of Windows and switch off security software.
- Researchers at Symantec observed a live attack beginning 29 May 2025, in which the gang used at least 14 separate hacking tools before dropping ransomware.
- Microsoft maintains a blocklist to stop dangerous drivers, but updates to that list can lag weeks behind newly discovered threats.
- The driver's author describes herself on LinkedIn as a Russian security researcher; Dark Reading attempted contact but received no response before publication.
A criminal gang that locks companies' files and demands payment recently used a piece of software that Microsoft itself had certified as safe, researchers at Symantec reported this week. The group is called Hyadina. Its new ransomware, the software it uses to encrypt and hold victims' data hostage, goes by the name GodDamn.
How did the attackers get past the security software?
They brought a weapon Microsoft had already approved. At the heart of this attack is something called a kernel driver, which is a low-level program that Windows grants near-total control over a computer, sitting beneath antivirus tools and almost everything else. Hyadina's driver, named PoisonX, carries a genuine Microsoft Hardware Compatibility signature, meaning Windows treats it as trusted software.
Once loaded, PoisonX killed every security process running on the machine. It also stripped out API hooks, the monitoring points that security tools use to watch for suspicious behaviour, leaving the victim's defences effectively blind.
Nobody yet knows how the group obtained a valid signature. Symantec researcher Brigid O Gorman said plainly that, in hindsight, Microsoft should not have signed PoisonX, but acknowledged the team does not know how the attackers may have tricked Microsoft into doing so.
Microsoft keeps what it calls a Vulnerable Driver Blocklist, a running list of dangerous drivers Windows will refuse to load even if they carry a legitimate signature. The problem, O Gorman notes, is that the gap between a bad driver being spotted and the blocklist update reaching company computers is often measured in weeks, not hours. Attackers move faster.
The attack itself started simply. On 29 May, an unexpected copy of AnyDesk, a genuine remote-desktop program that lets someone control a computer from anywhere, turned up in a victim's Music folder. That is not where AnyDesk belongs, and it was not authorised. A day later, PoisonX arrived on a second machine inside the same organisation, dropped by a file cheekily named symantec.exe.
After that, Hyadina deployed fourteen tools for stealing passwords, reading saved browser credentials, and moving between computers on the same network. Thirteen of the fourteen came from NirSoft, a free and entirely legitimate Windows utilities website. The failure mode here is that legitimate tools leave far fewer obvious traces than purpose-built malware.
One thing the post-mortem will say: the first warning sign was an AnyDesk installation in the wrong folder on the wrong date. Behavioural monitoring, the kind that flags unusual software appearing in unusual places, would have caught it before PoisonX ever ran.
If your organisation uses Windows machines, confirm that Microsoft's Vulnerable Driver Blocklist updates are applied automatically and promptly. Do not wait for the quarterly patch window.



