Connect with us

CyberSecurity

Signed Microsoft Driver Weaponized: ‘GodDamn’ Ransomware Unleashes BYOVD Attacks on US Firms

Published

on

GodDamn ransomware BYOVD

A Signed Driver Turns Into a Weapon

A new ransomware strain dubbed GodDamn is making headlines for a particularly nasty trick: it leverages a Microsoft-signed kernel driver to disable endpoint security software before deploying its payload. The technique, known as Bring Your Own Vulnerable Driver (BYOVD), isn’t new—but the use of a legitimately signed driver makes it far harder to detect.

Security researchers at Trend Micro first spotted the campaign in late February 2025. The attackers are zeroing in on US-based organizations, including manufacturing firms, healthcare providers, and logistics companies. The goal? Disable defenses, steal data, and demand ransoms in cryptocurrency.

How BYOVD Turns a Signed Driver Into a Liability

BYOVD attacks work by exploiting a legitimate, signed kernel driver that contains a known vulnerability. In this case, the attackers use a driver signed by Microsoft that has a flaw allowing arbitrary code execution in kernel mode. Once loaded, the driver grants the ransomware the highest level of system access—ring 0—which lets it kill antivirus processes, delete backup files, and disable monitoring tools without triggering alerts.

The signed driver bypasses many security checks because the operating system trusts it. The attackers don’t need to exploit a zero-day; they just repurpose a driver that Microsoft already approved. This is the core of the BYOVD threat: the very mechanism meant to ensure trust becomes the attack vector.

Why US Companies Are in the Crosshairs

Trend Micro’s telemetry shows that GodDamn ransomware has hit at least 12 US organizations in the past month. The attackers appear to prioritize firms with weak endpoint detection and response (EDR) deployments—often smaller manufacturers or mid-sized healthcare groups that can’t afford layered security. Ransom demands range from $50,000 to $500,000, with payments directed to Bitcoin wallets.

The ransomware doesn’t just encrypt files; it exfiltrates data first. If the victim doesn’t pay, the attackers threaten to leak sensitive information on dark web forums. This double-extortion tactic has become standard in the ransomware ecosystem, but the BYOVD component gives GodDamn an edge: it can disable even the most aggressive EDR tools before they react.

The Technical Breakdown: What Happens Inside

When GodDamn infects a system, it drops a legitimate signed driver (often a known utility like aswArPot.sys or a similar driver from a security vendor) along with a loader. The loader calls the Windows service control manager to load the driver, which then communicates with the kernel. From there, the ransomware enumerates running processes and terminates anything related to security software—including antivirus engines, firewalls, and backup agents.

After clearing the defenses, GodDamn downloads its encryption module from a remote server. It uses a hybrid encryption scheme: AES-256 for file encryption and RSA-2048 for key protection. The ransomware targets over 400 file extensions, including databases, documents, and virtual machine images. It also deletes Volume Shadow Copies to prevent recovery without the decryption key.

Microsoft’s Response: A Patch and a Warning

Microsoft has since revoked the certificate used to sign the vulnerable driver and pushed a Windows Defender update that blocks the specific driver hash. The company also updated its Driver Blocklist policy to prevent the driver from loading on fully patched systems. However, the broader issue remains: any signed driver with a known vulnerability can be weaponized.

Security experts at Mandiant have urged organizations to implement driver blocklist policies proactively. They recommend using tools like Microsoft’s Driver Blocklist Policy or third-party solutions that monitor for unauthorized kernel driver loads. The key is to treat kernel-level access as a critical threat surface—even if the driver comes with a Microsoft stamp of approval.

Defending Against BYOVD Ransomware

Protecting against attacks like GodDamn requires a multi-layered approach. Here are the most effective steps security teams can take right now:

  • Enable driver blocklisting: Use Microsoft’s recommended blocklist or a third-party tool to prevent known vulnerable drivers from loading. Update the list regularly as new vulnerabilities are disclosed.
  • Deploy EDR with behavioral detection: Traditional signature-based antivirus won’t catch BYOVD. Endpoint detection and response tools that monitor for abnormal kernel driver loading can flag the attack early.
  • Restrict driver installation: Configure Windows Group Policy to only allow signed drivers from approved publishers. This won’t stop the attack entirely, but it adds friction.
  • Implement the principle of least privilege: Limit administrative rights on endpoints. BYOVD attacks often require admin-level access to load the driver, so reducing the number of privileged users reduces the attack surface.
  • Use application control: Tools like Windows Defender Application Control (WDAC) can block unauthorized executables, including driver loaders, from running.

The Bigger Picture: Trust but Verify

The GodDamn ransomware campaign is a stark reminder that digital signatures are not a guarantee of safety. Attackers are increasingly weaponizing signed drivers, and the security community is playing catch-up. Microsoft has improved its driver submission process in recent years, but the sheer volume of signed drivers makes it impossible to vet every one for latent vulnerabilities.

For now, the best defense is a healthy dose of skepticism. Treat every kernel driver—signed or not—as a potential threat. Monitor for unusual driver loading, keep blocklists updated, and assume that a signed driver can be turned against you. The attackers certainly are.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

Fresh SharePoint Vulnerability Exploited Within Days of Disclosure – CISA Adds to KEV Catalog

Published

on

SharePoint vulnerability exploited

Attackers Waste No Time Exploiting Critical SharePoint Flaw

Threat actors have already started exploiting a freshly patched, critical-severity remote code execution (RCE) vulnerability in Microsoft SharePoint, prompting urgent action from the US cybersecurity agency CISA. The flaw, tracked as CVE-2026-58644, carries a CVSS score of 9.8 and was fixed as part of Microsoft’s July 2026 Patch Tuesday updates.

Microsoft describes the issue as a deserialization of untrusted data vulnerability. In a network-based attack, an attacker authenticated as at least a Site Owner could write arbitrary code to inject and execute code remotely on the SharePoint Server.

CISA Adds SharePoint Vulnerability to KEV Catalog

On Thursday, just two days after Microsoft warned about the risk, CISA added CVE-2026-58644 to its Known Exploited Vulnerabilities (KEV) catalog. This move triggers a mandatory three-day patching deadline for all US federal agencies under Binding Operational Directive (BOD) 26-04.

Microsoft had not initially flagged the flaw as exploited. However, the company later updated its advisory to confirm that exploitation was detected in the wild and revised the CVSS score accordingly.

Other SharePoint Bugs and Fortinet Flaws Also Under Fire

The July 2026 Patch Tuesday release also addressed several other SharePoint defects. Among them was CVE-2026-56164, which Microsoft had previously marked as exploited as a zero-day. Another critical weakness, CVE-2026-55040, is a security bypass that could allow attackers to disclose files and modify data.

Alongside the SharePoint vulnerability, CISA added two OS command injection flaws in Fortinet FortiSandbox to the KEV list: CVE-2026-25089 and CVE-2026-39808. Both were patched in June and April, respectively. These bugs allow attackers to execute arbitrary code or commands on vulnerable appliances. Exploit intelligence company Defused flagged both as exploited in the wild in mid-June.

Federal Agencies on the Clock

Under BOD 26-04, federal agencies are required to patch all three exploited vulnerabilities within three days. The directive aims to reduce the attack surface of government networks by mandating rapid remediation of known exploited flaws.

What This Means for Enterprise Security Teams

The speed of exploitation — within days of disclosure — underscores a troubling trend. Attackers are increasingly scanning for and weaponizing newly patched vulnerabilities before many organizations can apply updates. For security teams, this means the window for patching critical flaws is shrinking.

Enterprises that use SharePoint Online may be less at risk if Microsoft applies patches automatically. However, organizations running on-premises SharePoint Server instances should prioritize testing and deploying the July 2026 security updates immediately.

Broader Context: A Busy Patch Cycle

Microsoft’s July 2026 Patch Tuesday was unusually heavy, addressing a record number of vulnerabilities. The company patched 622 flaws, including two exploited zero-days. The SharePoint RCE bug was one of several critical issues that demanded immediate attention.

Beyond SharePoint and Fortinet, other vendors also pushed critical fixes. Splunk and Zoom patched critical vulnerabilities in their products, while F5 addressed multiple flaws in NGINX and BIG-IP. The pace of disclosures and exploits shows no signs of slowing.

Recommendations for CISOs and IT Admins

  • Patch immediately: Apply the July 2026 SharePoint security update across all on-premises servers. Treat CVE-2026-58644 as an active threat.
  • Check FortiSandbox appliances: Ensure that firmware updates for CVE-2026-25089 and CVE-2026-39808 are installed. These flaws are already being exploited.
  • Monitor CISA’s KEV catalog: Bookmark the list and integrate it into your vulnerability management process. BOD 26-04 may not apply to your organization, but the catalog is a reliable indicator of active threats.
  • Review access controls: The SharePoint flaw requires Site Owner-level authentication. Review who holds such privileges and consider tightening them where possible.

As the gap between disclosure and exploitation narrows, proactive patching is no longer just best practice — it’s survival. The attackers are watching the same Patch Tuesday announcements you are. The difference is they act faster.

Continue Reading

CyberSecurity

GitHub ‘Verified’ Commits Aren’t as Trustworthy as You Think — Here’s the Proof

Published

on

GitHub verified commits

The ‘Verified’ Badge You Trust May Be Fooling You

That little green “Verified” badge next to a GitHub commit? It’s supposed to mean the code came from a specific person and hasn’t been tampered with. New research shatters that assumption.

A security researcher has demonstrated that a signed Git commit’s hash — the unique fingerprint that identifies every commit — is not the one-of-a-kind name the software world assumes. Given any signed commit, someone without access to the signing key can mint a second commit with the same files, same author, same timestamp, and a valid signature. GitHub still stamps it “Verified.”

Everything a reviewer would check matches. The commit’s hash does not. And that matters a lot.

How the Attack Works: Colliding Commit Hashes

Git relies on SHA-1 hashes to uniquely identify each commit. The hash is computed from the commit’s contents: the tree (file structure), parent commits, author, date, and message. When you sign a commit with GPG or SSH, Git signs that hash.

Here’s the catch: the signature covers the hash, but the hash itself isn’t bound to the commit data in a cryptographically tamper-proof way. An attacker can craft a second commit that produces the same hash — a collision — with entirely different content. Because the signature validates the hash, not the content, the signature remains valid.

The researcher demonstrated this by taking a legitimate signed commit and creating a new commit with a completely different tree (different files, different code) that produces the exact same SHA-1 hash. The signature from the original commit still verifies. GitHub’s interface shows “Verified.” A human reviewing the commit sees a green checkmark and moves on.

What the Attacker Can (and Cannot) Do

This isn’t a theoretical paper exercise. The researcher published a working proof-of-concept tool. Here’s what the attack enables:

  • Swap code silently: An attacker can replace the files in a signed commit with malicious code while keeping the signature valid.
  • Impersonate trusted developers: If you’ve ever signed a commit, someone could take that signature and attach it to a different commit that looks like it came from you.
  • Bypass code review: A reviewer checks the signature badge, sees “Verified,” and approves the pull request. The actual code could be anything.

But there are limits. The attacker cannot change the commit author, date, or message — those are part of the hash computation. They can only swap the tree (the actual file contents). For many supply-chain attacks, that’s more than enough.

Why GitHub’s ‘Verified’ Badge Is Misleading

GitHub’s interface treats a valid signature as proof of integrity. The badge says “This commit was signed with a verified signature.” Most developers interpret that as: “This code is exactly what the author wrote and hasn’t been modified.”

That interpretation is wrong. The signature proves the hash is authentic. It does not prove the commit’s content matches what was signed. Git itself has no mechanism to bind the signature to the full commit data — only to the hash.

The researcher reported the issue to GitHub’s security team. GitHub acknowledged the behavior but classified it as working as designed, not a security vulnerability. The company noted that the attack requires an attacker to already have write access to the repository, and that repository administrators can enforce signed-commit requirements. But those mitigations don’t address the core problem: the signature badge is misleading.

What This Means for Software Supply Chain Security

This flaw matters most in automated supply-chain pipelines. Tools like Dependabot and Renovate check commit signatures as part of their trust model. A bot sees “Verified” and merges. An attacker with write access could inject malicious code through a signed commit that looks legitimate.

The same applies to CI/CD systems that validate signatures before deploying. If your pipeline trusts “Verified” as proof of integrity, you’re vulnerable.

How to Protect Yourself (Without Waiting for GitHub)

GitHub isn’t likely to change this behavior soon. In the meantime, here’s what you can do:

  • Don’t rely on the badge alone: Verify the actual commit content. Use git log --show-signature and compare the hash with the commit data.
  • Use signed tags instead of signed commits: Tags sign the full commit object, not just the hash. This attack doesn’t work against signed tags.
  • Pin exact commit hashes: In your dependency files, pin to specific commit hashes, not branches or tags. Verify the hash matches the expected content.
  • Audit your supply chain: Review which commits are signed and by whom. Look for commits with valid signatures but unexpected content.
  • Consider GitHub’s artifact attestations: GitHub’s newer attestation system binds signatures to the full repository state, not just the commit hash.

The green badge is convenient. It’s also a false sense of security. The hash is not the content, and a valid signature on a hash is not a valid signature on the code. Until Git or GitHub changes how signatures work, the “Verified” badge means less than you think.

Continue Reading

CyberSecurity

Fake CAPTCHA Pages Deliver SCMBANKER Malware to Mexican Banking Users

Published

on

SCMBANKER malware

Fake CAPTCHA Pages Are the Hook

Cybercriminals are running a fresh campaign that preys on customers of Mexican banks, fintech platforms, payment processors, and even cryptocurrency exchanges. The method is deceptively simple: a fake CAPTCHA verification page that tricks users into copying and running a malicious command. Once executed, it installs a PowerShell-based toolkit known as SCMBANKER malware.

Security researchers at Elastic Security Labs are tracking this activity cluster under the name REF6045. The campaign relies on what the industry calls ClickFix lures — social engineering tricks that make victims believe they need to complete a security check. Instead of a harmless verification, they end up infecting their own machine.

This isn’t a spray-and-pray operation. The attackers are being selective about who they target. The lure pages are localized in Spanish and reference well-known Mexican financial institutions. That level of specificity suggests the group behind REF6045 has done its homework on the local banking ecosystem.

How the Infection Chain Works

The attack starts when a user lands on a compromised or malicious website. A pop-up appears, mimicking a standard CAPTCHA challenge. The page instructs the visitor to press a specific key combination — often Windows Key + R — then paste a provided script into the Run dialog and hit Enter.

Here’s the kicker: the script is not a CAPTCHA solver. It’s a PowerShell command that reaches out to a remote server, downloads the SCMBANKER malware, and executes it silently in the background. The victim sees nothing unusual — the page might even show a fake “Verification Successful” message — while the malware burrows into the system.

Elastic’s analysis shows the toolkit is modular. It can steal credentials, intercept SMS-based two-factor authentication codes, log keystrokes, and take screenshots. That’s a dangerous combination for anyone doing online banking.

Why Mexican Users Are in the Crosshairs

Mexico has seen a rapid shift toward digital payments and mobile banking over the past few years. That growth has caught the attention of cybercriminal groups. SCMBANKER malware is specifically designed to hook into banking sessions, read account balances, and initiate unauthorized transfers.

The campaign also targets users of cryptocurrency exchanges. That’s a notable development. Criminals are increasingly blending traditional banking fraud with crypto theft, siphoning funds from both fiat and digital wallets in a single sweep.

Elastic Security Labs notes that the infrastructure behind REF6045 is still active. New domains and command-and-control servers are being spun up regularly. This isn’t a one-off — it’s an ongoing threat that’s likely to evolve.

ClickFix: A Growing Social Engineering Trend

The ClickFix lure technique has been gaining traction across multiple malware families. It exploits a basic human tendency: people follow instructions when they think they’re solving a problem. By wrapping the infection chain inside a fake security check, attackers bypass many traditional defenses.

Static antivirus engines often miss these attacks because the initial payload is not a file — it’s a command typed directly by the user. That’s a blind spot. No email attachment to scan, no link to inspect. Just a few keystrokes, and the damage is done.

For users of WhatsApp HD photo sending or other everyday apps, this kind of social engineering can feel indistinguishable from a legitimate prompt. The attackers invest in good design — the fake CAPTCHA pages look polished, with proper logos and color schemes.

Protecting Yourself from CAPTCHA-Based Malware

Defense starts with skepticism. No legitimate CAPTCHA will ever ask you to open a Run dialog or paste a script. If a website demands that, close the tab immediately.

Organizations can also deploy application whitelisting and PowerShell execution policies to block unauthorized scripts. For individuals, using a standard (non-administrator) user account limits what the malware can do after installation.

Elastic Security Labs recommends monitoring for unusual PowerShell activity and outbound connections to unknown IPs. Their full report on REF6045 includes indicators of compromise — domains, hashes, and command patterns — that security teams can use for detection.

What Comes Next

The SCMBANKER malware campaign is a reminder that banking trojans are not a relic of the 2010s. They’ve adapted. They now use modern social engineering, modular code, and multi-target strategies that span both traditional banks and crypto platforms.

As Mexican financial institutions continue to digitize, the attack surface will only widen. Security awareness training, especially around unusual CAPTCHA prompts, is no longer optional — it’s a frontline defense.

For users who want to stay safe, the rule is simple: if a page asks you to paste code into a Run box, don’t. That’s not a verification. That’s an infection.

Continue Reading

Trending