Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Analysis of a recent GodDamn ransomware attack indicates that this seemingly new ransomware is in fact the latest rebrand of the Beast ransomware, which in itself was a rebrand of the Monster ransomware... The GodDamn ransomware... was documented as being first seen on May 21, 2026.
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Next, Hyadina took it up another notch by deploying a toolkit made of 14 different tools... used for different kinds of Windows-based credential theft... All but one of those programs, Mimikatz, came from NirSoft.
Next, Hyadina took it up another notch by deploying a toolkit made of 14 different tools... used for different kinds of Windows-based credential theft: browser, email, and instant messenger stealers; Wi‑Fi and live network traffic interceptors; and more.
The first sign of bad news came in the form of an unexpected instance of AnyDesk, unconventionally loaded into one infected computer's Music folder... AnyDesk is an entirely legitimate software platform, but it's commonly used by attackers instead of old-fashioned shells.
24 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware locker used by the Hyadina RaaS operation to encrypt victim environments after the actors establish access, disable defenses, steal credentials, and move laterally.
Ransomware assessed to be the latest rebrand in the Monster/Beast lineage attributed to Hyadina. It was deployed after network-wide staging, credential harvesting, remote access establishment, lateral movement, and defense evasion including use of the PoisonX kernel driver to disable endpoint protections before encryption.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.