In April 2026, a cybersecurity incident at DigiCert has been traced back to a cybercrime faction known as CylindricalCanine. This group is identified as a sub-division of GoldenEyeDog, a notorious Chinese cybercrime syndicate active since 2015, notorious for targeting the gambling and gaming industries with malware distributed through fake websites.
Details of the DigiCert Breach
GoldenEyeDog reportedly exploited malware to infiltrate a support member’s device at DigiCert, a provider of code-signing certificates. This breach enabled the theft of certificates intended for DigiCert clients, as analyzed by Expel’s researcher Aaron Walton. The intrusion underscores the sophistication of the malware and its operators, highlighting the vulnerabilities within digital certificate management systems.
Central to the group’s operations is the use of Golden Gh0st RAT, a modified variant of the widely deployed Gh0st RAT by Chinese hacking entities. Delivered using the Golden Gh0st Loader, this malware variant was previously reported in November 2025 by Elastic Security Labs, which detailed its distribution through the RONINGLOADER, a multi-stage loader disguising itself as legitimate software like Google Chrome.
Implications for Cybersecurity
The attack method employed by CylindricalCanine involves the misuse of code-signing certificates to sign their malware, thereby evading detection. DigiCert’s detailed report reveals that the attackers used a customer support channel to deliver a malicious payload via a disguised ZIP file, exploiting a customer-support portal function to access initialization codes necessary for obtaining EV Code Signing certificates.
This breach resulted in the revocation of 60 fraudulently obtained certificates, including those linked to other security authorities. Of particular concern were 27 certificates directly associated with the threat actor, which were used to sign malicious software like Zhong Stealer.
Long-term Cyber Threats
The strategies employed by CylindricalCanine, including the distribution of phishing emails with malicious links, emphasize the ongoing threat posed by such cybercrime groups. The group’s final attack stage involves deploying Golden Gh0st RAT, which possesses capabilities to maintain persistence, exfiltrate data, and execute additional payloads. Targeted applications include popular web browsers and communication tools, underscoring the need for enhanced security measures.
The findings highlight the growing trend of cybercriminals like CylindricalCanine, Black Basta, and others abusing code-signing certificates to further their operations. Cybersecurity firms and organizations must remain vigilant against such evolving threats to protect sensitive information and maintain trust in digital transactions.
