CylindricalCanine: The Chinese Cybercrime Group Behind the DigiCert Certificate Theft
A Chinese cybercrime cluster, dubbed **CylindricalCanine**, has been identified as the perpetrator behind the April 2026 security incident at **DigiCert**. This sophisticated group, a subgroup of **GoldenEyeDog** (also known as APT-Q-27, Dragon Breath, and Miuuti Group), leveraged a modified **Gh0st RAT** to compromise support systems and steal code-signing certificates, enabling them to sign their own malware and evade detection.
Cybersecurity researchers have linked the April 2026 **DigiCert** security incident to a threat activity cluster dubbed **CylindricalCanine**.
**Expel**, which provided detailed technical insights into the event, describes **CylindricalCanine** as a subgroup of **GoldenEyeDog** (also known as APT-Q-27, Dragon Breath, and Miuuti Group). This Chinese cybercrime group has been active since at least 2015 and is notorious for targeting the gambling and gaming sectors with malware-laced software distributed through counterfeit websites.
"In April 2026, **GoldenEyeDog** used their malware to access a support member's device at **DigiCert**, a code-signing certificate provider, and leveraged their access to steal certificates intended for **DigiCert** customers," stated **Expel** security researcher Aaron Walton in an analysis. "This attack highlighted the capability of the malware and operators."
Central to the threat actor's operations is a modified version of **Gh0st RAT** (also known as Farfli), a remote access trojan widely employed by Chinese hacking groups, including **Silver Fox**. This modular malware, referred to as **Golden Gh0st RAT**, is delivered via the **Golden Gh0st Loader**.
In November 2025, **Elastic Security Labs** detailed the adversary's use of a multi-stage loader, codenamed **RONINGLOADER**, to distribute a **Gh0st RAT** variant. This was achieved through **NSIS** installers disguised as legitimate programs like **Google Chrome** and **Microsoft Teams**.
Earlier this year, another campaign linked to the group was observed orchestrating a multi-stage attack targeting customer support staff at Web3 companies. This involved using suspicious links sent via customer support chat to deliver **Gh0st RAT**.
"These actors are using malware and targeting victims consistent with other Chinese cybercrime activity, including targeting finance organizations in the Asia-Pacific region," **Expel** noted.

**Golden Gh0st RAT** exhibits behavioral and tactical overlaps with a payload detected by Chinese security vendor **QiAnXin** in 2020, in connection with an attack campaign against the gambling industry since 2019. It also shares similarities with malware documented by **ANY.RUN** in February 2025 as **Zhong Stealer**.
## The DigiCert Compromise
**CylindricalCanine** has been actively abusing code-signing certificates. They gained unauthorized access to **DigiCert** systems to intercept code-signing certificates intended for **DigiCert** customers, subsequently using them to sign their own malware to evade detection.
In April 2026, the certificate authority (**CA**) disclosed that it revoked certificates fraudulently obtained from its internal support portal. This compromise occurred after gaining access to two support analyst workstations by executing a malicious payload delivered via a customer chat channel.
"On 2026-04-02, a threat actor contacted **DigiCert**'s support team via a customer chat channel and delivered a ZIP file disguised as a customer screenshot," **DigiCert** explained at the time. "The file contained a .scr executable with a malicious payload."

"The threat actor used a limited function within the customer-support portal, which allows authenticated **DigiCert** support analysts to access customer accounts from the customer's perspective to facilitate support tasks. The threat actor was able to use this function to access initialization codes for orders that were approved but pending delivery for **EV Code Signing** certificate orders across a finite set of customer accounts."
The critical vulnerability lay in the fact that possession of an initialization code, combined with an approved order, was "functionally sufficient" to obtain **EV Code Signing** certificates across a set of customer accounts and CAs. The company reported revoking 60 certificates issued by the following CAs:
* **DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1**
* **DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1**
* **GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1**
* **Verokey High Assurance Secure Code EV**
Of these, 27 were explicitly linked to the threat actor, with the exploited certificates weaponized to sign **Zhong Stealer** malware artifacts.
"The threat model did not account for the scenario in which initialization codes stored within **DigiCert**'s internal support portal could be viewed by a compromised **DigiCert** analyst account operating through the portal function," the company explained. **DigiCert** has since deployed a code change to mask initialization codes from proxied users on both E.U. and U.S. platforms using either the UI or API.
## Attack Chains Lead to Golden Gh0st RAT
**Expel** detailed that **CylindricalCanine**'s primary tactic involves distributing files disguised as screenshots in phishing emails. These files are embedded as links that, when clicked, download additional payloads from an external server.
The ultimate goal of the attack is to trigger a **DLL side-loading chain**, leveraging a legitimate executable to run a rogue DLL. Simultaneously, a decoy PDF document displaying an HTTP 503 "Service Unavailable" error is shown. The rogue DLL then proceeds to load an encrypted payload, referred to as "update.log."
The final stage is the **Golden Gh0st RAT**, which boasts a wide array of capabilities. These include establishing persistence, stealing sensitive data, initiating a SOCKS proxy tunnel, suppressing display output, logging keystrokes, taking screenshots, enumerating processes, executing shell commands, dropping additional payloads, and clearing Windows Event logs. Specific applications targeted for data collection include **Skype**, **Google Chrome**, **Mozilla Firefox**, **360 Secure Browser**, **360 Speed Browser**, and **Tencent QQ Browser**.
The findings position **CylindricalCanine** as the latest addition to a growing list of threat actors, such as **Black Basta**, **TamperedChef** (also known as EvilAI), and **Rhysida**, known for abusing code-signing certificates in their cyber operations.
"**Golden Gh0st RAT** is used primarily in phishing emails and/or submissions to support portals (these submissions may themselves be emails received by a ticketing system)," **Expel** stated. "As with all **Gh0st RAT** variants, the capability of the malware is handled through plugins and an internal module dispatcher."