In April 2026, cybersecurity researchers identified a significant security breach at DigiCert, a leading code-signing certificate authority. The incident has been attributed to a threat actor subgroup known as CylindricalCanine, which operates under the larger Chinese cybercrime group GoldenEyeDog. This group, also referred to as APT-Q-27, Dragon Breath, and Miuuti Group, has a history of targeting sectors like gambling and gaming through counterfeit websites that distribute malware-laden software. Their activities have been traced back to at least 2015.
The breach at DigiCert involved the theft of code-signing certificates intended for its customers. The attackers gained access by compromising a support member’s device, highlighting the sophisticated capabilities of their malware and operational tactics. Central to their strategy is a modified version of Gh0st RAT, a remote access trojan widely utilized by Chinese hacking groups. This variant, dubbed Golden Gh0st RAT, is deployed via a loader known as Golden Gh0st Loader.
Previous reports have detailed the group’s use of multi-stage loaders, such as RONINGLOADER, to distribute Gh0st RAT variants through NSIS installers masquerading as legitimate applications like Google Chrome and Microsoft Teams. Earlier this year, the group was observed targeting customer support staff at Web3 companies, using malicious links sent via support chats to deliver Gh0st RAT.
Golden Gh0st RAT exhibits behavioral and tactical similarities with malware identified in 2020, which targeted the gambling industry since 2019. Additionally, it overlaps with a payload documented in February 2025 as Zhong Stealer.
During the DigiCert compromise, CylindricalCanine exploited code-signing certificates by gaining unauthorized access to DigiCert’s internal support portal. They intercepted certificates intended for customers and used them to sign their own malware, thereby evading detection mechanisms. The attackers initiated contact with DigiCert’s support team via a customer chat channel, delivering a ZIP file disguised as a customer screenshot. This file contained a malicious .scr executable, which, when executed, allowed the threat actor to access initialization codes for pending EV Code Signing certificate orders.
This incident underscores the critical importance of securing internal support systems and the potential risks posed by sophisticated cybercrime groups. Organizations must implement robust security measures, including regular monitoring and employee training, to defend against such advanced persistent threats.