Cybersecurity researchers have linked the April 2026 DigiCert security incident to a threat activity cluster known as CylindricalCanine, which they describe as a subgroup of the Chinese cybercrime operation GoldenEyeDog. Also tracked under names including APT Q 27, Dragon Breath, and Miuuti Group, GoldenEyeDog has reportedly been active since at least 2015 and is known for targeting organizations in the gambling and gaming industries through counterfeit websites that distribute malware. According to an analysis published by Expel, the group successfully compromised a DigiCert support employee’s workstation and used that access to obtain code signing certificates intended for DigiCert customers. Researchers said the incident demonstrated the group’s ability to combine phishing techniques, remote access malware, and stolen certificates to support broader cyber operations.
Expel stated that the attack began when the threat actor contacted DigiCert support through a customer chat channel and delivered a ZIP archive disguised as a customer screenshot. The archive contained a malicious SCR executable that installed malware after being opened. According to DigiCert, the attackers compromised two support analyst workstations and abused a legitimate support portal feature that allowed authenticated analysts to access customer accounts for troubleshooting purposes. Through this functionality, the attackers viewed initialization codes associated with approved but undelivered Extended Validation code signing certificate orders across a limited number of customer accounts. DigiCert explained that possession of these initialization codes, together with approved certificate requests, was sufficient to obtain valid EV code signing certificates. Following the discovery of the incident, the company revoked 60 certificates issued by several certificate authorities, including DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1, DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, GoGetSSL G4 CS RSA4096 SHA256 2022 CA 1, and Verokey High Assurance Secure Code EV. Of those revoked certificates, 27 were directly linked to the threat actor and were reportedly used to digitally sign Zhong Stealer malware. DigiCert also confirmed that it has modified its internal support platform so initialization codes are now masked from proxied users through both the user interface and application programming interface.
Researchers said the operation relies heavily on a modified version of Gh0st RAT known as Golden Gh0st RAT, which is delivered through a component referred to as Golden Gh0st Loader. Earlier investigations by Elastic Security Labs documented similar campaigns using a multi stage loader called RONINGLOADER to distribute Gh0st RAT through installers disguised as legitimate software such as Google Chrome and Microsoft Teams. More recently, the group has been observed targeting customer support staff working for Web3 organizations by sending suspicious links through customer support chat systems. According to Expel, the attackers primarily distribute phishing messages containing links that download malicious files disguised as screenshots. Once executed, the attack launches a DLL side loading chain that uses a legitimate executable to load a malicious DLL while displaying a decoy PDF showing an HTTP 503 Service Unavailable error. The malicious DLL then decrypts and loads the final Golden Gh0st RAT payload. Researchers explained that the malware supports persistence, data theft, SOCKS proxy tunneling, keystroke logging, screenshot capture, shell command execution, additional payload delivery, process enumeration, and Windows Event Log clearing. It also targets data stored in applications including Skype, Google Chrome, Mozilla Firefox, 360 Secure Browser, 360 Speed Browser, and Tencent QQ Browser.
Expel noted that CylindricalCanine joins a growing list of threat groups known for abusing legitimate code signing certificates to make malware appear trustworthy and reduce the likelihood of security detection. The researchers emphasized that Golden Gh0st RAT continues to be distributed primarily through phishing emails and customer support submissions, with its functionality extended through plugins and modular components. They also stated that the group’s targeting patterns remain consistent with previous Chinese cybercrime campaigns focused on financial organizations and businesses across the Asia Pacific region. The DigiCert incident highlights the importance of securing internal support systems, restricting privileged access, validating certificate issuance workflows, and strengthening defenses against phishing attacks designed to compromise trusted administrative accounts.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.