Beast refers to two distinct malware families in the provided content. Most prominently, Beast is described as a ransomware-as-a-service (RaaS) operation and ransomware family that emerged from the Monster ransomware strain, announced itself in 2024, began RaaS operations in February 2025, and launched a data-leak site in July 2025. It is described as active since at least 2022 in some reporting and supports multi-platform payloads for Windows, Linux, and VMware ESXi. Reported intrusion vectors include compromised RDP, SMB scanning, and opportunistic exploitation. Beast is associated with double-extortion behavior, including data exfiltration and file encryption, and has been reported using ChaCha20 encryption. Multiple sources state that it aggressively impairs recovery by locating and deleting backups, including Microsoft Windows Volume Shadow Copy Service data, stopping the VSS service, and terminating processes related to databases, backup and recovery, antivirus products, Microsoft Office, file editors, email, and other security- or backup-related software. Team Cymru reported an exposed server containing a Beast operator’s toolset, including reconnaissance, network mapping, credential theft, exfiltration, persistence, and lateral movement tooling, with AnyDesk and Mega specifically identified; Mega was noted as used for exfiltration. Files observed on that server included disable_backup.bat, designed to delete VSS backups and stop the VSS service, and CleanExit.exe, assessed as likely intended to wipe logs after ransomware execution. A mutex string "BEAST HERE?" is also listed in reporting. Victim reporting in the content includes attacks against healthcare organizations, a South Korean pharmaceutical company, and a South Korean battery safety component manufacturer.
Separately, the content also identifies Beast as an older Windows-based backdoor trojan / remote administration tool (RAT) developed by Tataye, first released in 2002 and last listed as version 2.07 on August 3, 2004. That Beast RAT was written in Delphi, targeted Windows 95 through Windows XP, used a client-server architecture, and was noted as one of the early trojans to use reverse connections. After execution, it reportedly used code injection into other applications and gave an attacker complete control of the infected system. Because current security-professional usage in the supplied content is dominated by the ransomware family, "Beast" is most likely to refer to the ransomware operation unless historical RAT context is explicitly intended.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GodDamn ransomware attack indicates that this seemingly new ransomware is in fact the latest rebrand of the Beast ransomware, which in itself was a rebrand of the Monster ransomware.
The Beast ransomware group is a fairly new one, which sprung from another strain — the so-called Monster ransomware gang. It announced itself in 2024, and began operations as a ransomware-as-a-service (RaaS) scheme in February 2025, launching a data-leak site in July.
12 distinct techniques documented for this family, organized by ATT&CK tactic.
The Exe Icon option allows the attacker to change the payload’s icon to improve social engineering effectiveness.
BeastDoor provides process injection capabilities and several builder options, including: Notifications Startup AV-FW Kill Misc Exe Icon
27 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family that rebranded from Monster in June 2024 and later appears to have been rebranded again as GodDamn. The content says Beast added greater customization, improved encryption performance, and support for Linux and VMware ESXi targets.
A ransomware-as-a-service program advertised on RAMP.
Named ransomware involved in a healthcare-sector breach claim.
Ransomware used in a ransomware-as-a-service operation. It is described as going beyond simple file encryption by combining recovery prevention techniques, backup destruction, process termination, log wiping, and data exfiltration.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.