Cyber Threat Brief — July 10 2026

⚠️ This report is AI-generated. Always validate findings.

1. GodDamn Ransomware Deploys Signed PoisonX Driver to Kill EDR — BYOVD

TL;DR: Symantec disclosed July 9 a new Hyadina ransomware rebrand using PoisonX, a Microsoft-signed malicious kernel driver, to terminate security software at ring-0 before encrypting. Concrete IOCs and a 4-day dwell-time attack chain documented.

What’s New:

  • PoisonX (g11.sys, SHA-256: 2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d) carries a valid “Microsoft Windows Hardware Compatibility Publisher” signature — not a vulnerable legitimate driver, but a purpose-built malicious driver that passed Microsoft signing
  • Dropper symantec.exe (SHA-256: b29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8) masquerades as Symantec product, stages PoisonX into system driver store
  • Attack chain: AnyDesk in %USERPROFILE%\Music\ → PoisonX driver load → 14-tool credential harvest (Mimikatz + 13 NirSoft tools) → PsExec lateral movement → AnyDesk persistence as dual Windows services → encryption with victim-org-name as extension
  • Same driver previously documented killing CrowdStrike Falcon via crafted IOCTL; now also adopted by The Gentlemen RaaS
  • Hyadina lineage: Monster (2022) → Beast (2024) → GodDamn (May 2026)

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
g11.sys (SHA-256: 2d91a78...1c20145d)Driver hashT1068 / T1562.001EDR / Sysmon EID 6 (driver load)Block by hash; alert on any new unsigned/suspect kernel driver loads
symantec.exe (SHA-256: b29f91a...23a30c) dropper in Music\ folderFile hash + pathT1036.005EDR / Sysmon EID 1, 11Alert on executables masquerading as security vendor binaries in user profile dirs
encrypter-windows-gui-x86.exe in Downloads/MusicRansomware binaryT1486EDR / Sysmon EID 1Block; hunt for this filename
AnyDesk deployed as dual auto-start services from user profile dirsPersistenceT1219 / T1543.003Windows EID 7045 / Sysmon EID 1Alert on AnyDesk service creation outside Program Files
PsExec lateral movement (psexesvc.exe → services.exe chain)Lateral movementT1570 / T1021.002Windows EID 7045 / EDRAlert on PsExec service installation
NirSoft credential harvesters (WebBrowserPassView, ChromePass, Mimikatz, 11 others) staged in user profile subdirCredential accessT1003.001 / T1555.003EDR / Sysmon EID 1Block NirSoft tool hashes; alert on >3 credential tools in single directory
Defender real-time monitoring disabled via PowerShellDefense evasionT1562.001Windows EID 5001 / PowerShell logsAlert on Set-MpPreference -DisableRealtimeMonitoring
.God8Damn or victim-org-name file extension on encrypted filesEncryption indicatorT1486File integrity / EDRPost-compromise indicator

Detection

SourceRuleGap
Splunk ESCUWindows Driver Load Non-Standard Path (generic)No specific PoisonX driver rule; need hash-based or signer-anomaly detection for Microsoft-signed malicious drivers
Splunk ESCUPsExec Lateral Movement; Windows Defender Exclusion AddedCovers post-PoisonX lateral movement, not the driver load itself
Sigmasysmon_driver_load_vuln_drivers.yml (BYOVD list)PoisonX not in community BYOVD hash list yet — needs manual addition
Sigmaproc_creation_win_hktl_mimikatz.ymlCovers Mimikatz but not NirSoft toolkit staging pattern
ElasticSuspicious Driver Loaded (generic)No PoisonX-specific coverage

Sources: Symantec Threat Hunter Team · SecurityAffairs · Dark Reading


Status Updates

  • CVE-2026-50656 (RoguePlanet / Microsoft Defender EoP): PATCHED July 9 in Malware Protection Engine 1.1.26060.3008. Auto-updates; no customer action required. Previously unpatched zero-day since June 11. Splunk ESCU Analytics Story: RoguePlanet available. Original brief.
  • CVE-2026-48282 (Adobe ColdFusion RDS FILEIO): Federal CISA KEV deadline TODAY July 10. ITW exploitation ongoing since July 2. Patch: CF2025u10 / CF2023u21. Original brief.
  • CVE-2026-48908 (JoomShaper SP Page Builder): Federal CISA KEV deadline TODAY July 10. Unauthenticated file upload RCE. Patch: 6.6.2. Original brief.
  • CVE-2026-56290 (Joomlack Page Builder CK): Federal CISA KEV deadline TODAY July 10. Unauthenticated file upload RCE. Patch: 3.6.0. Original brief.
  • CVE-2026-55255 (Langflow IDOR): Federal CISA KEV deadline TODAY July 10. Sysdig detailed attacker TTPs: flow enumeration + IDOR + ‘leak api keys’ prompt injection. Attacker IP 45.207.216.55. Patch: 1.9.2. Original brief.