Cyber Threat Brief — July 10 2026
⚠️ This report is AI-generated. Always validate findings.
1. GodDamn Ransomware Deploys Signed PoisonX Driver to Kill EDR — BYOVD
TL;DR: Symantec disclosed July 9 a new Hyadina ransomware rebrand using PoisonX, a Microsoft-signed malicious kernel driver, to terminate security software at ring-0 before encrypting. Concrete IOCs and a 4-day dwell-time attack chain documented.
What’s New:
- PoisonX (
g11.sys, SHA-256:2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d) carries a valid “Microsoft Windows Hardware Compatibility Publisher” signature — not a vulnerable legitimate driver, but a purpose-built malicious driver that passed Microsoft signing - Dropper
symantec.exe(SHA-256:b29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8) masquerades as Symantec product, stages PoisonX into system driver store - Attack chain: AnyDesk in
%USERPROFILE%\Music\→ PoisonX driver load → 14-tool credential harvest (Mimikatz + 13 NirSoft tools) → PsExec lateral movement → AnyDesk persistence as dual Windows services → encryption with victim-org-name as extension - Same driver previously documented killing CrowdStrike Falcon via crafted IOCTL; now also adopted by The Gentlemen RaaS
- Hyadina lineage: Monster (2022) → Beast (2024) → GodDamn (May 2026)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
g11.sys (SHA-256: 2d91a78...1c20145d) | Driver hash | T1068 / T1562.001 | EDR / Sysmon EID 6 (driver load) | Block by hash; alert on any new unsigned/suspect kernel driver loads |
symantec.exe (SHA-256: b29f91a...23a30c) dropper in Music\ folder | File hash + path | T1036.005 | EDR / Sysmon EID 1, 11 | Alert on executables masquerading as security vendor binaries in user profile dirs |
encrypter-windows-gui-x86.exe in Downloads/Music | Ransomware binary | T1486 | EDR / Sysmon EID 1 | Block; hunt for this filename |
| AnyDesk deployed as dual auto-start services from user profile dirs | Persistence | T1219 / T1543.003 | Windows EID 7045 / Sysmon EID 1 | Alert on AnyDesk service creation outside Program Files |
| PsExec lateral movement (psexesvc.exe → services.exe chain) | Lateral movement | T1570 / T1021.002 | Windows EID 7045 / EDR | Alert on PsExec service installation |
| NirSoft credential harvesters (WebBrowserPassView, ChromePass, Mimikatz, 11 others) staged in user profile subdir | Credential access | T1003.001 / T1555.003 | EDR / Sysmon EID 1 | Block NirSoft tool hashes; alert on >3 credential tools in single directory |
| Defender real-time monitoring disabled via PowerShell | Defense evasion | T1562.001 | Windows EID 5001 / PowerShell logs | Alert on Set-MpPreference -DisableRealtimeMonitoring |
.God8Damn or victim-org-name file extension on encrypted files | Encryption indicator | T1486 | File integrity / EDR | Post-compromise indicator |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Windows Driver Load Non-Standard Path (generic) | No specific PoisonX driver rule; need hash-based or signer-anomaly detection for Microsoft-signed malicious drivers |
| Splunk ESCU | PsExec Lateral Movement; Windows Defender Exclusion Added | Covers post-PoisonX lateral movement, not the driver load itself |
| Sigma | sysmon_driver_load_vuln_drivers.yml (BYOVD list) | PoisonX not in community BYOVD hash list yet — needs manual addition |
| Sigma | proc_creation_win_hktl_mimikatz.yml | Covers Mimikatz but not NirSoft toolkit staging pattern |
| Elastic | Suspicious Driver Loaded (generic) | No PoisonX-specific coverage |
Sources: Symantec Threat Hunter Team · SecurityAffairs · Dark Reading
Status Updates
- CVE-2026-50656 (RoguePlanet / Microsoft Defender EoP): PATCHED July 9 in Malware Protection Engine 1.1.26060.3008. Auto-updates; no customer action required. Previously unpatched zero-day since June 11. Splunk ESCU Analytics Story: RoguePlanet available. Original brief.
- CVE-2026-48282 (Adobe ColdFusion RDS FILEIO): Federal CISA KEV deadline TODAY July 10. ITW exploitation ongoing since July 2. Patch: CF2025u10 / CF2023u21. Original brief.
- CVE-2026-48908 (JoomShaper SP Page Builder): Federal CISA KEV deadline TODAY July 10. Unauthenticated file upload RCE. Patch: 6.6.2. Original brief.
- CVE-2026-56290 (Joomlack Page Builder CK): Federal CISA KEV deadline TODAY July 10. Unauthenticated file upload RCE. Patch: 3.6.0. Original brief.
- CVE-2026-55255 (Langflow IDOR): Federal CISA KEV deadline TODAY July 10. Sysdig detailed attacker TTPs: flow enumeration + IDOR + ‘leak api keys’ prompt injection. Attacker IP
45.207.216.55. Patch: 1.9.2. Original brief.