VYPR
breachPublished Jul 17, 2026· 1 source

GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft

A subgroup of the GoldenEyeDog Chinese cybercrime group, CylindricalCanine, is linked to the April 2026 DigiCert breach where code-signing certificates were stolen.

Cybersecurity researchers have attributed the April 2026 DigiCert security incident to a threat activity cluster dubbed CylindricalCanine, identified as a subgroup of the GoldenEyeDog Chinese cybercrime collective. GoldenEyeDog, also known by aliases such as APT-Q-27, Dragon Breath, and Miuuti Group, has a history of targeting the gambling and gaming sectors by distributing malware-laced software through counterfeit websites, and has been active since at least 2015.

According to security researchers, GoldenEyeDog utilized their malware to gain access to a support member's device at DigiCert, a prominent code-signing certificate provider. This access allowed them to steal certificates intended for DigiCert customers, a feat that highlighted the advanced capabilities of both the malware and the operators behind it. The stolen certificates could be used to sign malicious software, potentially increasing the trust and reach of future malware campaigns.

The threat actor's operations heavily rely on a modified version of Gh0st RAT (also known as Farfli), a remote access trojan widely adopted by Chinese hacking groups. This modular malware, termed Golden Gh0st RAT, is distributed via a loader component known as Golden Gh0st Loader. Earlier campaigns have seen this loader used to distribute Gh0st RAT variants through installers masquerading as legitimate software, such as Google Chrome and Microsoft Teams.

In a previous incident, a similar campaign targeted customer support staff at Web3 companies, using malicious links sent via customer support chats to deliver the Gh0st RAT. This pattern of targeting customer support personnel and leveraging social engineering tactics is consistent with the group's modus operandi. Expel noted that the malware and victimology align with other Chinese cybercrime activities, including targeting financial organizations in the Asia-Pacific region.

The DigiCert breach itself involved attackers gaining unauthorized access to the company's internal support portal. By compromising two support analyst workstations, they were able to intercept code-signing certificates destined for DigiCert customers. The attackers initiated contact with DigiCert's support team via a customer chat channel, delivering a malicious payload disguised as a customer screenshot within a ZIP file. This payload contained a .scr executable designed to compromise the support system.

The attackers exploited a specific function within the customer-support portal that allowed authenticated DigiCert support analysts to access customer accounts from the customer's perspective for support tasks. The threat actor leveraged this function to access initialization codes for approved but pending EV Code Signing certificate orders across a limited set of customer accounts. Possession of these codes, combined with an approved order, was sufficient to obtain EV Code Signing certificates.

DigiCert ultimately revoked 60 certificates issued by several CAs, including DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1 and GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1. Of these, 27 were directly linked to the threat actor, and the compromised certificates were weaponized to sign Zhong Stealer malware artifacts. DigiCert has since implemented code changes to mask initialization codes from proxied users to prevent similar incidents.

The attack chain typically culminates in the execution of Golden Gh0st RAT, which possesses extensive capabilities including establishing persistence, stealing sensitive data, creating SOCKS proxy tunnels, logging keystrokes, capturing screenshots, enumerating processes, executing shell commands, and clearing Windows Event logs. This incident underscores the significant risks associated with compromised digital signing infrastructure and the evolving tactics of sophisticated cybercrime groups.

Synthesized by Vypr AI