GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver to Disable Defenses

    Date: 07/10/2026

    Severity: Critical

    Summary

    GodDamn is the latest rebranded version of the Beast (formerly Monster) ransomware family, developed by the threat actor Hyadina. The attackers use AnyDesk for remote access, credential-stealing toolkits, and the Microsoft-signed PoisonX kernel driver to disable endpoint security through a BYOVD-style defense evasion technique before deploying the ransomware. The campaign also uses customized file extensions based on the victim organization, highlighting its evolving tactics and focus on stealth. 

    Indicators of Compromise (IOC) List

    Hash

    141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944

    17fb52476016677db5a93505c4a1c356984bc1f6a4456870f920ac90a7846180

    19bab15a34d5ad838ccf4d187eb40379c335fa56446d0f9621865b2767d4ac7d

    2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d

    31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc

    35296e7a34688ca3e3159bcdf92b4d60ba4173a2369aca531bb7bc959f68ed9c

    45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220

    5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd

    5c4c98d774eb100f9a89ae4e984c27a4f532e58c7cf8c87046dc87db5a065404

    5e85446910e732111ca9ac90f9ed8b1dee13c3314d2c5117dcf672994ce73bd6 

    7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26 

    816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019

    8e4b218bdbd8e098fff749fe5e5bbf00275d21f398b34216a573224e192094b8

    8ff1c1967841a595d996a649c8134b7a5970dcf94624b237d1b089e7c6266167

    9fae3f15900e13ec3860a109555ecd33ca43d38907c63438c50a2d6d91bfee1d

    b29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8

    c92580318be4effdb37aa67145748826f6a9e285bc2426410dc280e61e3c7620

    e097f3b445b63b07afacde8d6a67f0be654dd51e228a3610fb0710a1f7e29a69 

    ece33e4b7e2d26eeca8ad9db4439f9801a7a77e332611116156738b1b0316046

    faca9e856c369b63d6698c74b1d59b062a9a8d9fe84b8f753c299c9961026395

    d29670e684e40ddc89b47010c37cbc96737035b6

    7d33e173819ecd502f790bf6d3da260a82dedfa2

    7b01f64b7818d315ef7a2485c4ce2a5d6896cb58

    56bee9df5833a637f5c54d5911df98b0812fe643

    4a3418d78d8fe36b39d1ee5435796369b88a8762

    32e24780735a0148c3cc4ce7dda30ed9365397a9

    1ba499bafaa369be58e795a150403c8729ef5d95

    10955a02ef3fd3f80f20062c401bf7960ff6ce94

    fc3b93e042de5fa569a8379d46bce506

    e736229e890a138ccf7810e00a6bb50d

    df218168bf83d26386dfd4ece7aef2d0

    d28f0cfae377553fcb85918c29f4889b

    8e776dbb71eb8f42dffd3020175edef5

    4277a6be9b121a30564aca6ba32db272

    233b795102dd9cd630aebddfe3c15bbb

    07e9f0b8627a95960e79e930fb099e84

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    md5hash IN ("07e9f0b8627a95960e79e930fb099e84","8e776dbb71eb8f42dffd3020175edef5","e736229e890a138ccf7810e00a6bb50d","4277a6be9b121a30564aca6ba32db272","df218168bf83d26386dfd4ece7aef2d0","d28f0cfae377553fcb85918c29f4889b","fc3b93e042de5fa569a8379d46bce506","233b795102dd9cd630aebddfe3c15bbb")

    Detection Query 2 :

    sha1hash IN ("56bee9df5833a637f5c54d5911df98b0812fe643","32e24780735a0148c3cc4ce7dda30ed9365397a9","7d33e173819ecd502f790bf6d3da260a82dedfa2","4a3418d78d8fe36b39d1ee5435796369b88a8762","d29670e684e40ddc89b47010c37cbc96737035b6","1ba499bafaa369be58e795a150403c8729ef5d95","7b01f64b7818d315ef7a2485c4ce2a5d6896cb58","10955a02ef3fd3f80f20062c401bf7960ff6ce94")

    Detection Query 3 :

    sha256hash IN ("c92580318be4effdb37aa67145748826f6a9e285bc2426410dc280e61e3c7620","45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220","5e85446910e732111ca9ac90f9ed8b1dee13c3314d2c5117dcf672994ce73bd6","17fb52476016677db5a93505c4a1c356984bc1f6a4456870f920ac90a7846180","faca9e856c369b63d6698c74b1d59b062a9a8d9fe84b8f753c299c9961026395","8e4b218bdbd8e098fff749fe5e5bbf00275d21f398b34216a573224e192094b8","5c4c98d774eb100f9a89ae4e984c27a4f532e58c7cf8c87046dc87db5a065404","9fae3f15900e13ec3860a109555ecd33ca43d38907c63438c50a2d6d91bfee1d","19bab15a34d5ad838ccf4d187eb40379c335fa56446d0f9621865b2767d4ac7d","ece33e4b7e2d26eeca8ad9db4439f9801a7a77e332611116156738b1b0316046","5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd","7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26","b29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8","141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944","35296e7a34688ca3e3159bcdf92b4d60ba4173a2369aca531bb7bc959f68ed9c","816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019","2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d","8ff1c1967841a595d996a649c8134b7a5970dcf94624b237d1b089e7c6266167","31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc","e097f3b445b63b07afacde8d6a67f0be654dd51e228a3610fb0710a1f7e29a69")

    Reference:    

    https://www.security.com/threat-intelligence/goddamn-ransomware-beast-rebrand                


    Tags

    MalwareThreat ActorRansomwareCredential HarvestingMicrosoftBYOVD

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags