Chinese hacking subgroup linked to DigiCert breach and code-signing certificate theft

Expel researchers attributed the April DigiCert breach to CylindricalCanine, a GoldenEyeDog subgroup that stole code-signing certificates to sign malware.

CSBadmin
2 Min Read

Security researchers at Expel have attributed the April 2026 DigiCert security incident to a threat group they call CylindricalCanine, identifying it as a subgroup of the Chinese cybercrime operation GoldenEyeDog, also known as APT-Q-27, Dragon Breath, and Miuuti Group. The breach resulted in the theft of code-signing certificates that were subsequently used to sign malware.

According to Expel’s analysis, GoldenEyeDog used their malware to access a support analyst’s device at DigiCert, a leading certificate authority, then leveraged that access to intercept code-signing certificates intended for the company’s customers. The attack highlighted the sophistication of the group’s malware and operational capabilities.

GoldenEyeDog has been active since at least 2015 and is known for targeting the gambling and gaming sectors. The group’s operations center on a modified version of Gh0st RAT, a remote access trojan widely used by Chinese hacking groups. Expel’s analysis describes how the subgroup distributed files disguised as screenshots in phishing emails and used DLL side-loading chains to establish persistence and evade detection.

DigiCert had previously disclosed that the breach began when a threat actor contacted the company’s support team via a customer chat channel and delivered a ZIP file disguised as a customer screenshot. The file contained an executable payload that compromised two support analyst workstations. The attacker then exploited a portal function to access initialization codes for EV Code Signing certificate orders, eventually stealing certificates issued by four different certificate authorities.

The company revoked 60 certificates potentially affected by the breach, with 27 explicitly linked to the threat actor. Those stolen certificates were used to sign Zhong Stealer malware, giving the attackers a trusted signature that could bypass security controls. DigiCert has since deployed code changes to mask initialization codes from proxied users.

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.