GoldenEyeDog Subgroup Steals DigiCert Code-Signing Certificates
Cybersecurity researchers at Expel have attributed the April 2026 DigiCert security incident to a threat activity cluster tracked as CylindricalCanine, a sub-group of the Chinese cybercrime syndicate GoldenEyeDog—also known as APT-Q-27, Dragon Breath, and Miuuti Group. Active since at least 2015, GoldenEyeDog has historically targeted the gambling and gaming sectors using counterfeit websites that push malware-laced software. According to Expel researcher Aaron Walton, the group compromised a DigiCert support member's device using their custom malware, then leveraged that access to intercept code-signing certificates intended for legitimate DigiCert customers—an attack that starkly demonstrated the operator's technical capability and the dangers posed when certificate authorities are breached.
At the core of the group's operations is Golden Gh0st RAT, a heavily modified variant of the Gh0st RAT (Farfli) remote access trojan widely used across Chinese threat clusters, including the prolific Silver Fox group. The modular payload is delivered via Golden Gh0st Loader, and Elastic Security Labs documented in November 2025 how the adversaries used a multi-stage loader called RONINGLOADER to distribute Gh0st variants through NSIS installers masquerading as legitimate applications such as Google Chrome and Microsoft Teams. Earlier in 2026, the group was also observed targeting customer support staff at Web3 firms via malicious links sent through support chat channels. Organizations—especially those in Asia-Pacific finance—can verify the integrity of their digital certificates using an SSL/TLS checker to detect any unauthorized or fraudulent certificates issued against their domains.
The DigiCert compromise itself began on April 2, 2026, when a threat actor contacted DigiCert's support team via a customer chat channel and delivered a ZIP file disguised as customer screen-shares. Execution of the malicious payload granted the attackers access to two internal support analyst workstations, enabling them to fraudulently obtain and later revoke code-signing certificates through DigiCert's internal support portal. These stolen certificates were then used to sign the group's malware, allowing it to evade detection by endpoint security products. CylindricalCanine's Golden Gh0st RAT also overlaps with a 2020 QiAnXin detection tied to gambling-sector attacks dating back to 2019 and with a payload documented by ANY.RUN in February 2025 as Zhong Stealer, underscoring the group's long-running malware lineage.
GoldenEyeDog's tactics—leveraging trusted support channels, social engineering, and stolen code-signing trust—illustrate a growing convergence of APT tradecraft and financially motivated cybercrime. Security teams should audit their environments for unauthorized certificates, monitor signed binaries for anomalous publishers, and validate the legitimacy of vendor communications. Investigators tracking related infrastructure can also benefit from a WHOIS lookup to map suspicious domains tied to the group's phishing lures and counterfeit software distribution sites.