Chinese APT Sub-Group Behind DigiCert Certificate Authority Breach
Cybersecurity firm Expel has published a detailed technical attribution linking the April 2026 DigiCert security incident to a threat actor cluster tracked internally as CylindricalCanine — identified as a sub-group of GoldenEyeDog, also known by the aliases APT-Q-27, Dragon Breath, and Miuuti Group.
The campaign represents a high-value supply chain attack: by compromising a trusted Certificate Authority (CA) and stealing code-signing certificates, threat actors can sign malicious software with legitimate credentials, effectively bypassing security controls that rely on certificate trust.
Threat Actor Profile: GoldenEyeDog
GoldenEyeDog is a Chinese state-linked advanced persistent threat (APT) group with a history of espionage-focused operations against targets in Southeast Asia, East Asia, and increasingly Western technology and financial sectors. The group operates through multiple sub-clusters that share tooling and infrastructure but maintain operational separation.
| Alias | Attribution |
|---|---|
| GoldenEyeDog | Umbrella group designation |
| APT-Q-27 | QiAnXin tracking designation |
| Dragon Breath | Volexity tracking designation |
| Miuuti Group | Alternative research tracking name |
| CylindricalCanine | Expel's designation for this sub-cluster |
CylindricalCanine Sub-Cluster
Expel describes CylindricalCanine as a distinct operational sub-group within GoldenEyeDog's broader infrastructure. The April 2026 DigiCert breach represents one of the most significant operations attributed to this cluster, targeting the foundational trust infrastructure of the global PKI ecosystem.
The DigiCert Incident
Timeline
- April 2026: DigiCert discloses a security incident involving unauthorized access to internal systems
- July 2026: Expel publishes attribution linking the breach to CylindricalCanine / GoldenEyeDog
What Was Stolen
The primary objective of the breach was code-signing certificates — digital credentials issued by DigiCert used by software developers to cryptographically sign applications and updates. These certificates allow end-user systems and security tools to verify that software originates from a legitimate, trusted publisher.
Theft of code-signing certificates enables threat actors to:
- Sign malware with legitimate, trusted certificates
- Bypass endpoint detection — signed binaries receive implicit trust from many AV/EDR solutions
- Evade application allowlisting — policies based on certificate trust are circumvented
- Conduct watering hole or supply chain attacks — distribute backdoored software that appears authentic
Technical Details
Expel's technical analysis focuses on the intrusion tradecraft observed during the DigiCert compromise. While the full technical report details specific TTPs, key observations include:
- Initial access via targeted phishing or exploitation of exposed services (consistent with GoldenEyeDog's historical TTPs)
- Lateral movement within DigiCert's internal systems to reach certificate management infrastructure
- Certificate exfiltration targeting code-signing assets rather than TLS/SSL certificates (maximizing operational value for software-based delivery)
The choice of target is notable. Code-signing certificates are significantly more valuable than standard TLS certificates from an offensive standpoint, as they directly enable malware distribution campaigns under the banner of a trusted global CA.
Why This Matters
The compromise of a major Certificate Authority represents a systemic trust risk for the broader software ecosystem:
- Downstream software trust: Any software signed with stolen DigiCert certificates inherits the CA's trust chain
- Detection blind spots: Many organizations exclude signed software from intensive scanning
- Extended attack window: Stolen certificates may have been used in campaigns before or after the breach disclosure
- Revocation challenges: Certificate revocation (via CRL or OCSP) is not instantaneously adopted by all client systems
Recommendations
For Security Teams
- Audit signed software ingestion — review policies for software signed by DigiCert certificates, particularly executables introduced after April 2026
- Monitor certificate revocation lists — ensure your systems are consuming current CRLs/OCSP responses
- Enhance supply chain controls — scrutinize third-party software updates for unexpected certificate changes
- Threat hunt for GoldenEyeDog IOCs — check Expel's published indicators against your environment
For Software Publishers
- Rotate code-signing certificates if they were issued by DigiCert during or prior to the breach window
- Implement dual-signing where possible to reduce single-CA dependency
- Audit your CI/CD pipelines for unauthorized certificate use or signing anomalies