Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1937+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft
GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft
NEWS

GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft

Cybersecurity researchers at Expel have attributed the April 2026 DigiCert security incident to CylindricalCanine, a sub-group of the Chinese APT known as GoldenEyeDog (APT-Q-27, Dragon Breath). The threat actors stole code-signing certificates to legitimize malicious software.

Dylan H.

News Desk

July 17, 2026
4 min read

Chinese APT Sub-Group Behind DigiCert Certificate Authority Breach

Cybersecurity firm Expel has published a detailed technical attribution linking the April 2026 DigiCert security incident to a threat actor cluster tracked internally as CylindricalCanine — identified as a sub-group of GoldenEyeDog, also known by the aliases APT-Q-27, Dragon Breath, and Miuuti Group.

The campaign represents a high-value supply chain attack: by compromising a trusted Certificate Authority (CA) and stealing code-signing certificates, threat actors can sign malicious software with legitimate credentials, effectively bypassing security controls that rely on certificate trust.


Threat Actor Profile: GoldenEyeDog

GoldenEyeDog is a Chinese state-linked advanced persistent threat (APT) group with a history of espionage-focused operations against targets in Southeast Asia, East Asia, and increasingly Western technology and financial sectors. The group operates through multiple sub-clusters that share tooling and infrastructure but maintain operational separation.

AliasAttribution
GoldenEyeDogUmbrella group designation
APT-Q-27QiAnXin tracking designation
Dragon BreathVolexity tracking designation
Miuuti GroupAlternative research tracking name
CylindricalCanineExpel's designation for this sub-cluster

CylindricalCanine Sub-Cluster

Expel describes CylindricalCanine as a distinct operational sub-group within GoldenEyeDog's broader infrastructure. The April 2026 DigiCert breach represents one of the most significant operations attributed to this cluster, targeting the foundational trust infrastructure of the global PKI ecosystem.


The DigiCert Incident

Timeline

  • April 2026: DigiCert discloses a security incident involving unauthorized access to internal systems
  • July 2026: Expel publishes attribution linking the breach to CylindricalCanine / GoldenEyeDog

What Was Stolen

The primary objective of the breach was code-signing certificates — digital credentials issued by DigiCert used by software developers to cryptographically sign applications and updates. These certificates allow end-user systems and security tools to verify that software originates from a legitimate, trusted publisher.

Theft of code-signing certificates enables threat actors to:

  • Sign malware with legitimate, trusted certificates
  • Bypass endpoint detection — signed binaries receive implicit trust from many AV/EDR solutions
  • Evade application allowlisting — policies based on certificate trust are circumvented
  • Conduct watering hole or supply chain attacks — distribute backdoored software that appears authentic

Technical Details

Expel's technical analysis focuses on the intrusion tradecraft observed during the DigiCert compromise. While the full technical report details specific TTPs, key observations include:

  • Initial access via targeted phishing or exploitation of exposed services (consistent with GoldenEyeDog's historical TTPs)
  • Lateral movement within DigiCert's internal systems to reach certificate management infrastructure
  • Certificate exfiltration targeting code-signing assets rather than TLS/SSL certificates (maximizing operational value for software-based delivery)

The choice of target is notable. Code-signing certificates are significantly more valuable than standard TLS certificates from an offensive standpoint, as they directly enable malware distribution campaigns under the banner of a trusted global CA.


Why This Matters

The compromise of a major Certificate Authority represents a systemic trust risk for the broader software ecosystem:

  1. Downstream software trust: Any software signed with stolen DigiCert certificates inherits the CA's trust chain
  2. Detection blind spots: Many organizations exclude signed software from intensive scanning
  3. Extended attack window: Stolen certificates may have been used in campaigns before or after the breach disclosure
  4. Revocation challenges: Certificate revocation (via CRL or OCSP) is not instantaneously adopted by all client systems

Recommendations

For Security Teams

  • Audit signed software ingestion — review policies for software signed by DigiCert certificates, particularly executables introduced after April 2026
  • Monitor certificate revocation lists — ensure your systems are consuming current CRLs/OCSP responses
  • Enhance supply chain controls — scrutinize third-party software updates for unexpected certificate changes
  • Threat hunt for GoldenEyeDog IOCs — check Expel's published indicators against your environment

For Software Publishers

  • Rotate code-signing certificates if they were issued by DigiCert during or prior to the breach window
  • Implement dual-signing where possible to reduce single-CA dependency
  • Audit your CI/CD pipelines for unauthorized certificate use or signing anomalies

References

  • The Hacker News — GoldenEyeDog Subgroup Linked to DigiCert Breach
  • Expel Threat Intelligence
  • DigiCert Security Advisory
#Data Breach#APT#GoldenEyeDog#APT-Q-27#DigiCert#Code-Signing#Supply Chain#China

Related Articles

Chinese Hackers Breach REDCap Servers, Steal Medical Research Data

A China-linked espionage campaign targeted exposed REDCap servers, deploying the InfiniteRed malware to steal sensitive medical research data from a North...

4 min read

China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

Sygnia researchers uncovered Velvet Ant, a China-nexus APT that spent close to a decade hidden inside Linux authentication infrastructure by backdooring...

6 min read

Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2

Zscaler ThreatLabz has uncovered a Tropic Trooper (APT23) campaign that delivers the AdaptixC2 post-exploitation beacon via trojanized SumatraPDF...

4 min read
Back to all News