GoldenEyeDog Linked to DigiCert Certificate Theft


Researchers link a GoldenEyeDog subgroup to DigiCert’s April 2026 breach involving stolen code-signing certificates.

A subgroup of the Chinese cybercrime operation GoldenEyeDog has been linked to the April 2026 breach of DigiCert, where attackers stole code-signing certificates intended for customers and later used some of them to digitally sign malware.

The findings were published by cybersecurity firm Expel on July 17, 2026, which attributed the intrusion to a threat cluster it tracks as CylindricalCanine. Researchers describe the group as a subgroup of GoldenEyeDog also known as APT-Q-27, Dragon Breath, and Miuuti Group a long-running cybercrime operation active since at least 2015.

While GoldenEyeDog has historically targeted organizations connected to the online gambling and gaming industries, Expel says the CylindricalCanine subgroup has recently shifted its focus toward financial organizations across the Asia-Pacific region.

According to Expel’s investigation, the attack began when a DigiCert support analyst unknowingly executed a malicious file that had been submitted through the company’s customer support system. Once the analyst’s workstation was compromised, the attackers were able to abuse a legitimate support feature that allowed employees to access customer accounts while providing technical assistance.

That access proved critical. Investigators found the attackers could view initialization codes for approved but undelivered Extended Validation (EV) code-signing certificates. Those codes were then used to complete certificate issuance, allowing the threat actors to obtain valid certificates belonging to DigiCert customers.

DigiCert disclosed the incident in April 2026, announcing that it had revoked 60 compromised code-signing certificates issued through multiple certificate authorities. According to Expel, 27 of those certificates were directly tied to the attackers and were later used to digitally sign samples of Zhong Stealer malware, making the malicious files appear more trustworthy to operating systems and security software.

Researchers also examined the malware used during the operation, identifying two key components: Golden Gh0st Loader and Golden Gh0st RAT. The loader uses DLL sideloading techniques to decrypt and launch the remote access trojan while displaying a decoy PDF containing an HTTP 503 error, helping disguise the infection process from victims.

Once installed, Golden Gh0st RAT provides attackers with extensive control over compromised systems. It supports remote command execution, file transfers, keylogging, screenshot capture, credential theft, browser data collection, SOCKS proxy tunneling, remote desktop functionality, and the ability to clear Windows Event Logs in an effort to hinder forensic investigations.

Expel said the group commonly delivers the malware through phishing emails and malicious files submitted to customer support portals, relying on social engineering rather than software vulnerabilities to gain an initial foothold inside targeted organizations.

The incident highlights the growing value of legitimate code-signing certificates to cybercriminals. Malware signed with trusted certificates is generally more likely to evade security controls and appear legitimate to users, making certificate theft an increasingly attractive objective for sophisticated threat actors.

Researchers recommend that organizations closely monitor certificate issuance, strengthen security around customer support systems, verify unexpected certificate requests, and continue educating employees about phishing attempts and malicious attachments designed to compromise internal networks.

Related articles :


Reports are sourced from official documents, law-enforcement updates, and credible investigations.

Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.