GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft
Cybersecurity researchers have attributed the April 2026 DigiCert security incident to a threat activity cluster dubbed CylindricalCanine. Expel, which shared technical details of the event, described the threat actor as a sub-group of GoldenEyeDog (aka APT-Q-27, Dragon B…
Intelligence analysis by Llama

A Chinese cybercrime group, GoldenEyeDog, has been linked to a DigiCert security incident in April 2026. The group used malware to access a support member's device at DigiCert, a code-signing certificate provider, and stole certificates intended for DigiCert customers.
Imagine you're playing a game online, and someone hacks into the game's system to steal your money. That's basically what happened in this story, but instead of a game, it was a company called DigiCert that was hacked. The hackers used a special kind of malware to get into the system and steal some important certificates that help keep people safe online.
Analysis
A $60B Vote of Confidence
The recent DigiCert security incident has shed light on the capabilities of the GoldenEyeDog group, a Chinese cybercrime group known for its targeting of the gambling and gaming sectors. The group's use of malware to access a support member's device at DigiCert, a code-signing certificate provider, and steal certificates intended for DigiCert customers, highlights the potential risks of code-signing certificate theft.
The GoldenEyeDog group has been active since at least 2015 and has been linked to several high-profile attacks. The group's use of a modified version of Gh0st RAT, a remote access trojan (RAT) widely used by Chinese hacking groups, is a key aspect of its operations. The malware, referred to as Golden Gh0st RAT, is delivered by means of Golden Gh0st Loader and has been observed in several campaigns linked to the group.
The DigiCert compromise is a significant incident, with 60 certificates issued by the following CAs being revoked. Of these, 27 are said to have been explicitly linked to the threat actor, with the exploited certificates weaponized to sign Zhong Stealer malware artifacts. The company has since deployed a code change to mask initialization codes from proxied users on both E.U. and U.S. platforms using either the UI or API.
Why Cursor?
The primary tactic of CylindricalCanine is to distribute files disguised as screenshots in phishing emails. The files are embedded within the messages in the form of a link that, when clicked, downloads additional payloads from an external server. The end goal of the attack is to trigger a DLL side-loading chain, leveraging a legitimate executable to run a rogue DLL, while simultaneously displaying a decoy PDF document displaying an HTTP 503 'Service Unavailable' error.
The Road Ahead
The findings make CylindricalCanine the latest addition to a list of threat actors, such as Black Basta, TamperedChef (aka EvilAI), and Rhysida. The group's use of malware and targeting of victims consistent with other Chinese cybercrime activity, including targeting finance organizations in the Asia-Pacific region, highlights the potential risks of code-signing certificate theft.
Key points
- Cybersecurity researchers have attributed the April 2026 DigiCert security incident to a threat activity cluster dubbed CylindricalCanine.
- The GoldenEyeDog group, a Chinese cybercrime group, has been linked to the incident.
- The group used malware to access a support member's device at DigiCert, a code-signing certificate provider, and stole certificates intended for DigiCert customers.
- The GoldenEyeDog group has been active since at least 2015 and has been linked to several high-profile attacks.
- The group's use of a modified version of Gh0st RAT, a remote access trojan (RAT) widely used by Chinese hacking groups, is a key aspect of its operations.
If this development plays out positively, it could lead to increased security measures being implemented by companies like DigiCert to prevent similar incidents in the future.
The realistic downside risks or failure modes of this incident include the potential for more widespread code-signing certificate theft, which could lead to a loss of trust in the security of online transactions.



