GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft
Chinese threat group GoldenEyeDog subgroup breached DigiCert and stole code-signing certificates.
Summary
Researchers attributed the April 2026 DigiCert breach to CylindricalCanine, a subgroup of GoldenEyeDog (APT-Q-27), a Chinese cybercrime group. The threat actors used a modified Gh0st RAT delivered via a malicious .scr file to compromise DigiCert support staff, gaining unauthorized access to code-signing certificates intended for customers. The group abused these certificates to sign malware and evade detection, leading DigiCert to revoke 60 fraudulently issued EV Code Signing certificates.
Full text
GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft Ravie LakshmananJul 17, 2026Malware / Threat Intelligence Cybersecurity researchers have attributed the April 2026 DigiCert security incident to a threat activity cluster dubbed CylindricalCanine. Expel, which shared technical details of the event, described the threat actor as a sub-group of GoldenEyeDog (aka APT-Q-27, Dragon Breath, and Miuuti Group), a Chinese cybercrime group known for its targeting of the gambling and gaming sectors using counterfeit websites to push malware-laced software. It's known to be active since at least 2015. "In April 2026, GoldenEyeDog used their malware to access a support member's device at DigiCert, a code-signing certificate provider, and leveraged their access to steal certificates intended for DigiCert customers," Expel security researcher Aaron Walton said in an analysis. "This attack highlighted the capability of the malware and operators." Central to the threat actor's operations is a modified version of Gh0st RAT (aka Farfli), a remote access trojan (RAT) widely used by Chinese hacking groups, including another prolific Chinese cybercrime group tracked as Silver Fox. The modular malware, referred to as Golden Gh0st RAT, is delivered by means of Golden Gh0st Loader. In a report published in November 2025, Elastic Security Labs detailed the adversary's use of a multi-stage loader codenamed RONINGLOADER to distribute a Gh0st RAT variant through NSIS installers masquerading as legitimate programs like Google Chrome and Microsoft Teams. Earlier this year, another campaign linked to the hacking group was observed orchestrating a multi-stage attack directed at customer support staff working for Web3 companies, using suspicious links sent via customer support chat to deliver Gh0st RAT. "These actors are using malware and targeting victims consistent with other Chinese cybercrime activity, including targeting finance organizations in the Asia-Pacific region," Expel said. "The malware targets finance organizations in the Asia-Pacific region." Golden Gh0st RAT shares behavioral and tactical overlaps with a payload detected by Chinese security vendor QiAnXin back in 2020 in connection with an attack campaign aimed at the gambling industry since 2019. It also overlaps with a malware documented by ANY.RUN in February 2025 as Zhong Stealer. The DigiCert Compromise What's more, CylindricalCanine has been observed abusing code-signing certificates, gaining unauthorized access to DigiCert to intercept code-signing certificates intended for DigiCert customers, and then using them to sign their own malware to avoid detection. In April 2026, the certificate authority (CA) revealed it revoked certificates fraudulently obtained from its internal support portal after gaining access to two support analyst workstations by executing a malicious payload delivered via a customer chat channel. "On 2026-04-02, a threat actor contacted DigiCert's support team via a customer chat channel and delivered a ZIP file disguised as a customer screenshot," DigiCert explained at the time. "The file contained a .scr executable with a malicious payload." "The threat actor used a limited function within the customer-support portal, which allows authenticated DigiCert support analysts to access customer accounts from the customer's perspective to facilitate support tasks. The threat actor was able to use this function to access initialization codes for orders that were approved but pending delivery for EV Code Signing certificate orders across a finite set of customer accounts." The fatal oversight here was that the possession of an initialization code, coupled with an approved order, was "functionally sufficient" to obtain EV Code Signing certificates across a set of customer accounts and CAs. The company said it revoked 60 certificates issued by the following CAs - DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1 DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1 Verokey High Assurance Secure Code EV Of these, 27 are said to have been explicitly linked to the threat actor, with the exploited certificates weaponized to sign Zhong Stealer malware artifacts. "The threat model did not account for the scenario in which initialization codes stored within DigiCert's internal support portal could be viewed by a compromised DigiCert analyst account operating through the portal function," the company explained, adding it has since deployed a code change to mask initialization codes from proxied users on both E.U. and U.S. platforms using either the UI or API. Attack Chains Lead to Golden Gh0st RAT Expel said the primary tactic of CylindricalCanine is to distribute files disguised as screenshots in phishing emails. The files are embedded within the messages in the form of a link that, when clicked, downloads additional payloads from an external server. The end goal of the attack is to trigger a DLL side-loading chain, leveraging a legitimate executable to run a rogue DLL, while simultaneously displaying a decoy PDF document displaying an HTTP 503 "Service Unavailable" error. The DLL then proceeds to load an encrypted payload ("update.log"). The final stage is Golden Gh0st RAT, which comes with a wide array of capabilities to set up persistence, steal sensitive data, start a SOCKS proxy tunnel, suppress display output, log keystrokes, take screenshots, enumerate processes, execute shell commands, drop additional payloads, and clear Windows Event logs. Some of the applications it specifically targets for data collection include Skype, Google Chrome, Mozilla Firefox, 360 Secure Browser, 360 Speed Browser, and Tencent QQ Browser. The findings make CylindricalCanine the latest addition to a list of threat actors, such as Black Basta, TamperedChef (aka EvilAI), and Rhysida, that are known to abuse code-signing certificates in their cyber operations. "Golden Gh0st RAT is used primarily in phishing emails and/or submissions to support portals (these submissions may themselves be emails received by a ticketing system)," Expel said. "As with all Gh0st RAT variants, the capability of the malware is handled through plugins and an internal module dispatcher." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE Certificate Security, code signing, Cybercrime, data theft, Malware, Phishing, Remote Access Trojan, Security breach, Threat Intelligence, Windows Security ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video C
Indicators of Compromise
- malware — Golden Gh0st RAT
- malware — Golden Gh0st Loader
- malware — RONINGLOADER
- malware — Gh0st RAT
- malware — Zhong Stealer