Cybersecurity researchers have attributed the April 2026 DigiCert security incident to a threat activity cluster dubbed CylindricalCanine.
Expel, which shared technical details of the event, described the threat actor as a sub-group of GoldenEyeDog (aka APT-Q-27, Dragon Breath, and Miuuti Group), a Chinese cybercrime group known for its targeting of the gambling and gaming sectors using counterfeit websites to push malware-laced software. It’s known to be active since at least 2015.
“In April 2026, GoldenEyeDog used their malware to access a support member’s device at DigiCert, a code-signing certificate provider, and leveraged their access to steal certificates intended for DigiCert customers,” Expel security researcher Aaron Walton said in an analysis. “This attack highlighted the capability of the malware and operators.”
Central to the threat actor’s operations is a modified version of Gh0st RAT (aka Farfli), a remote access trojan (RAT) widely used by Chinese hacking groups, including another prolific Chinese cybercrime group tracked as Silver Fox. The modular malware, referred to as Golden Gh0st RAT, is delivered by means of Golden Gh0st Loader.
In a report published in November 2025, Elastic Security Labs detailed the adversary’s use of a multi-stage loader codenamed RONINGLOADER to distribute a Gh0st RAT variant through NSIS installers masquerading as legitimate programs like Google Chrome and Microsoft Teams.
Earlier this year, another campaign linked to the hacking group was observed orchestrating a multi-stage attack directed at customer support staff working for Web3 companies, using suspicious links sent via customer support chat to deliver Gh0st RAT.
“These actors are using malware and targeting victims consistent with other Chinese cybercrime activity, including targeting finance organizations in the Asia-Pacific region,” Expel said. “The malware targets finance organizations in the Asia-Pacific region.”
Golden Gh0st RAT shares behavioral and tactical overlaps with a payload detected by Chinese security vendor QiAnXin back in 2020 in connection with an attack campaign aimed at the gambling industry since 2019. It also overlaps with a malware documented by ANY.RUN in February 2025 as Zhong Stealer.
The DigiCert Compromise
What’s more, CylindricalCanine has been observed abusing code-signing certificates, gaining unauthorized access to DigiCert to intercept code-signing certificates intended for DigiCert customers, and then using them to sign their own malware to avoid detection.
In April 2026, the certificate authority (CA) revealed it revoked certificates fraudulently obtained from its internal support portal after gaining access to two support analyst workstations by executing a malicious payload delivered via a customer chat channel.
“On 2026-04-02, a threat actor contacted DigiCert’s support team via a customer chat channel and delivered a ZIP file disguised as a customer screenshot,” DigiCert explained at the time. “The file contained a .scr executable with a malicious payload.”
“The threat actor used a limited function within the customer-support portal, which allows authenticated DigiCert support analysts to access customer accounts from the customer’s perspective to facilitate support tasks. The threat actor was able to use this function to access initialization codes for orders that were approved but pending delivery for EV Code Signing certificate orders across a finite set of customer accounts.”
The fatal oversight here was that the possession of an initialization code, coupled with an approved order, was “functionally sufficient” to obtain EV Code Signing certificates across a set of customer accounts and CAs. The company said it revoked 60 certificates issued by the following CAs –
- DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
- DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
- GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
- Verokey High Assurance Secure Code EV
Of these, 27 are said to have been explicitly linked to the threat actor, with the exploited certificates weaponized to sign Zhong Stealer malware artifacts.
“The threat model did not account for the scenario in which initialization codes stored within DigiCert’s internal support portal could be viewed by a compromised DigiCert analyst account operating through the portal function,” the company explained, adding it has since deployed a code change to mask initialization codes from proxied users on both E.U. and U.S. platforms using either the UI or API.
Attack Chains Lead to Golden Gh0st RAT
Expel said the primary tactic of CylindricalCanine is to distribute files disguised as screenshots in phishing emails. The files are embedded within the messages in the form of a link that, when clicked, downloads additional payloads from an external server.
The end goal of the attack is to trigger a DLL side-loading chain, leveraging a legitimate executable to run a rogue DLL, while simultaneously displaying a decoy PDF document displaying an HTTP 503 “Service Unavailable” error. The DLL then proceeds to load an encrypted payload (“update.log”).
The final stage is Golden Gh0st RAT, which comes with a wide array of capabilities to set up persistence, steal sensitive data, start a SOCKS proxy tunnel, suppress display output, log keystrokes, take screenshots, enumerate processes, execute shell commands, drop additional payloads, and clear Windows Event logs. Some of the applications it specifically targets for data collection include Skype, Google Chrome, Mozilla Firefox, 360 Secure Browser, 360 Speed Browser, and Tencent QQ Browser.
The findings make CylindricalCanine the latest addition to a list of threat actors, such as Black Basta, TamperedChef (aka EvilAI), and Rhysida, that are known to abuse code-signing certificates in their cyber operations.
“Golden Gh0st RAT is used primarily in phishing emails and/or submissions to support portals (these submissions may themselves be emails received by a ticketing system),” Expel said. “As with all Gh0st RAT variants, the capability of the malware is handled through plugins and an internal module dispatcher.”









