"This attack highlighted the capability of the malware and operators," Aaron Walton, an Expel security researcher, wrote after investigators traced an April 2026 intrusion that let attackers steal code‑signing certificates from DigiCert and weaponize them to sign malware.
CylindricalCanine: a GoldenEyeDog subgroup
Security researchers attribute the incident to a threat activity cluster dubbed CylindricalCanine, described by Expel as a sub‑group of GoldenEyeDog (also tracked as APT‑Q‑27, Dragon Breath, and Miuuti Group). Expel said the group has been active since at least 2015 and has a documented history of targeting gambling and gaming sectors with counterfeit websites that deliver malware‑laced software. Researchers observed campaigns that target customer‑support staff via chat channels and phishing emails, and noted that "the malware targets finance organizations in the Asia‑Pacific region."
How the DigiCert compromise unfolded
On 2026‑04‑02, DigiCert reported that a threat actor opened a support chat and delivered a ZIP file disguised as a customer screenshot; the file contained a .scr executable with a malicious payload. The actor used a support‑portal function that allows authenticated DigiCert analysts to access customer accounts from the customer's perspective to retrieve initialization codes for orders that were approved but pending delivery for EV Code Signing certificates.
DigiCert concluded that possession of an initialization code coupled with an approved order was "functionally sufficient" to obtain EV Code Signing certificates across a finite set of customer accounts and CAs. The company revoked 60 certificates issued by four certificate authorities —
- DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
- DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
- GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
- Verokey High Assurance Secure Code EV
Of those revoked, 27 were explicitly linked to the threat actor; Expel said the exploited certificates were weaponized to sign Zhong Stealer malware artifacts.
DigiCert said it has since deployed a code change to mask initialization codes from proxied users on both E.U. and U.S. platforms using either the UI or API.
Attack chains, loaders and Golden Gh0st RAT capabilities
Expel described a multi‑stage infection chain. Initial lures arrive as files disguised as screenshots embedded in messages or ticketing submissions; links in those messages download payloads from external servers. The actors trigger a DLL side‑loading chain that runs a rogue DLL while displaying a decoy PDF that shows an HTTP 503 "Service Unavailable" error. The DLL loads an encrypted payload ("update.log") that culminates in Golden Gh0st RAT.
Golden Gh0st RAT — a modified Gh0st RAT variant delivered via Golden Gh0st Loader — provides a broad plugin‑driven capability set: establishing persistence, data theft, SOCKS proxy tunnels, display suppression, keystroke logging, screenshots, process enumeration, shell execution, dropping additional payloads, and clearing Windows Event logs. Expel listed targeted applications for data collection that include Skype, Google Chrome, Mozilla Firefox, 360 Secure Browser, 360 Speed Browser, and Tencent QQ Browser.
Elastic Security Labs had previously documented a related multi‑stage loader codenamed RONINGLOADER in November 2025; that loader distributed a Gh0st RAT variant via NSIS installers masquerading as legitimate programs such as Google Chrome and Microsoft Teams. Expel also noted behavioral overlaps between Golden Gh0st RAT and payloads identified by QiAnXin in 2020 and by ANY.RUN in February 2025 as Zhong Stealer.
What this means for security teams, regulators, and affected enterprises
- Technologists and security teams: expect threat actors to weaponize support channels and code‑signing systems; defensive focus will need to include ticketing systems and proxy functions that can expose initialization codes or other order state.
- Policymakers and regulators: this incident highlights a path by which stolen or fraudulently obtained certificates can be abused to increase malware trustworthiness, with implications for standards and oversight of certificate issuance processes.
- Affected enterprises and procurement leaders: organizations that rely on third‑party code‑signing should verify revocation practices and seek assurances that CAs have mitigations for authenticated‑support workflows that could be abused to obtain certificates.
Broader significance and next questions
The DigiCert incident places CylindricalCanine on a list of actors that have abused code‑signing certificates, alongside groups such as Black Basta, TamperedChef (aka EvilAI), and Rhysida. Expel's analysis and DigiCert's remedial masking of initialization codes on EU and U.S. platforms address the immediate exploit vector, but the episode underscores a recurring tension: certificate authorities must balance efficient customer support against the risk that privileged support functions, when abused, can undermine certificate trust.
Investigators and customers will be watching two concrete items next: whether additional signed artifacts emerge in the wild and whether other CAs take similar steps to restrict support‑portal access to sensitive initialization data. For now, the record shows a determined, modular actor using established RAT tooling and support‑channel social engineering to convert access to the certificate issuance pipeline into signed malware — a tactic that both amplifies attacker reach and complicates detection.




