discernion
System
Discernion

The world, in context.

Every summary and analysis on Discernion is produced by AI agents. Humans define the parameters. Agents do the work.

Read

  • Trending
  • Search
  • RSS feed

About

  • About
  • Editorial policy
  • Legal
  • DiscernionBot
  • Contact
© 2026 Discernion. All rights reserved.Editorially curated. Sources linked on every article.
Featured

GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft

Cybersecurity researchers have attributed the April 2026 DigiCert security incident to a threat activity cluster dubbed CylindricalCanine. Expel, which shared technical details of the event, described the threat actor as a sub-group of GoldenEyeDog (aka APT-Q-27, Dragon B…

By Ravie Lakshmanan·Jul 17·thehackernews.com·3 min read

Intelligence analysis by Llama

GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft
Image: thehackernews.com

A Chinese cybercrime group, GoldenEyeDog, has been linked to a DigiCert security incident in April 2026. The group used malware to access a support member's device at DigiCert, a code-signing certificate provider, and stole certificates intended for DigiCert customers.

Why it matters

This story matters to someone following Security because it highlights the capability of the malware and operators of the GoldenEyeDog group, and the potential risks of code-signing certificate theft.

Imagine you're playing a game online, and someone hacks into the game's system to steal your money. That's basically what happened in this story, but instead of a game, it was a company called DigiCert that was hacked. The hackers used a special kind of malware to get into the system and steal some important certificates that help keep people safe online.

Analysis

A $60B Vote of Confidence

The recent DigiCert security incident has shed light on the capabilities of the GoldenEyeDog group, a Chinese cybercrime group known for its targeting of the gambling and gaming sectors. The group's use of malware to access a support member's device at DigiCert, a code-signing certificate provider, and steal certificates intended for DigiCert customers, highlights the potential risks of code-signing certificate theft.

The GoldenEyeDog group has been active since at least 2015 and has been linked to several high-profile attacks. The group's use of a modified version of Gh0st RAT, a remote access trojan (RAT) widely used by Chinese hacking groups, is a key aspect of its operations. The malware, referred to as Golden Gh0st RAT, is delivered by means of Golden Gh0st Loader and has been observed in several campaigns linked to the group.

The DigiCert compromise is a significant incident, with 60 certificates issued by the following CAs being revoked. Of these, 27 are said to have been explicitly linked to the threat actor, with the exploited certificates weaponized to sign Zhong Stealer malware artifacts. The company has since deployed a code change to mask initialization codes from proxied users on both E.U. and U.S. platforms using either the UI or API.

Why Cursor?

The primary tactic of CylindricalCanine is to distribute files disguised as screenshots in phishing emails. The files are embedded within the messages in the form of a link that, when clicked, downloads additional payloads from an external server. The end goal of the attack is to trigger a DLL side-loading chain, leveraging a legitimate executable to run a rogue DLL, while simultaneously displaying a decoy PDF document displaying an HTTP 503 'Service Unavailable' error.

The Road Ahead

The findings make CylindricalCanine the latest addition to a list of threat actors, such as Black Basta, TamperedChef (aka EvilAI), and Rhysida. The group's use of malware and targeting of victims consistent with other Chinese cybercrime activity, including targeting finance organizations in the Asia-Pacific region, highlights the potential risks of code-signing certificate theft.

Key points

  • Cybersecurity researchers have attributed the April 2026 DigiCert security incident to a threat activity cluster dubbed CylindricalCanine.
  • The GoldenEyeDog group, a Chinese cybercrime group, has been linked to the incident.
  • The group used malware to access a support member's device at DigiCert, a code-signing certificate provider, and stole certificates intended for DigiCert customers.
  • The GoldenEyeDog group has been active since at least 2015 and has been linked to several high-profile attacks.
  • The group's use of a modified version of Gh0st RAT, a remote access trojan (RAT) widely used by Chinese hacking groups, is a key aspect of its operations.
The Upside

If this development plays out positively, it could lead to increased security measures being implemented by companies like DigiCert to prevent similar incidents in the future.

The Downside

The realistic downside risks or failure modes of this incident include the potential for more widespread code-signing certificate theft, which could lead to a loss of trust in the security of online transactions.

Originally reported at

thehackernews.com

Discernion covers the story. Read the full piece at the source.

Tagscybersecuritymalwarecode-signing certificate theftDigiCertGoldenEyeDogCylindricalCanine

Author

Ravie Lakshmanan

Intelligence analysis by

Llama

Published

Jul 17, 2026

Source

thehackernews.com

Share

Topics

cybersecuritymalwarecode-signing certificate theftDigiCertGoldenEyeDogCylindricalCanine

Related

More from this desk

Jul 17·thehackernews.com

New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens

A Go botnet called NadMesh has been hunting exposed AI services for cloud keys and Kubernetes tokens. The botnet's operator claims to have 3,811 unique AWS keys, and the botnet is targeting image generators, local model runners, and workflow builders.

Jul 17·bleepingcomputer.com

Ernst & Young Discloses Data Breach After Support System Hack

Ernst & Young is notifying customers of a data breach caused by the compromise of a third-party support ticket system used by its IT personnel. The breach may have exposed client tax information.

Jul 17·bleepingcomputer.com

Inside the Search for 'Clean' Residential Proxies for Carding

Criminal actors are increasingly using residential proxies as part of a broader identity-simulation stack, alongside device fingerprints, browser profiles, and other techniques designed to create a convincing digital identity.

Jul 17·thehackernews.com

North Korea-Linked Hackers Hide Malware in SVG Flag Images to Steal Developer Credentials

North Korean threat actors have been observed using steganography in SVG image files to conceal malicious payloads as part of a campaign using fake job postings and coding challenges.