Full Report
Cybersecurity researchers have attributed the April 2026 DigiCert security incident to a threat activity cluster dubbed CylindricalCanine. Expel, which shared technical details of the event, described the threat actor as a sub-group of GoldenEyeDog (aka APT-Q-27, Dragon Breath, and Miuuti Group), a Chinese cybercrime group known for its targeting of the gambling and gaming sectors using
Analysis Summary
# Threat Actor: CylindricalCanine
## Attribution & Identity
* **Primary Identifier:** CylindricalCanine
* **Associated Groups:** A specific sub-group of **GoldenEyeDog** (also known as APT-Q-27, Dragon Breath, and Miuuti Group).
* **Origin:** Chinese cybercrime actor.
* **History:** The parent group, GoldenEyeDog, has been active since at least 2015, with specific overlaps to activity dating back to 2019.
## Activity Summary
* **April 2026 DigiCert Incident:** The actor compromised the internal support portal of DigiCert. By infiltrating support analyst workstations, they stole initialization codes for Extended Validation (EV) code-signing certificates intended for customers.
* **Web3 Support Campaign (Early 2026):** Orchestrated attacks against customer support staff at Web3 organizations via malicious links in chat channels.
* **2025 Loader Campaigns:** Use of multi-stage loaders (RONINGLOADER) to distribute malware disguised as legitimate software.
## Tactics, Techniques & Procedures
* **Social Engineering:** Targeting customer support personnel via live chat channels by sending malicious files disguised as "customer screenshots" or suspicious links.
* **Malicious Files:** Use of ZIP archives containing `.scr` (screensaver) executables to deliver payloads.
* **Masquerading:** Using NSIS installers that mimic legitimate applications such as Google Chrome and Microsoft Teams.
* **Supply Chain / Certificate Misuse:** Stealing and using legitimate code-signing certificates to sign their own malware, effectively bypassing traditional endpoint security detections.
* **Malware Delivery:** Use of a multi-stage loading process (Loader -> RAT).
## Targeting
* **Sectors:** Gaming, Gambling, Finance, Web3, and Certificate Authorities (CAs).
* **Geography:** Primarily Asia-Pacific (APAC) region.
* **Victims:** DigiCert (support team), Web3 customer support teams, and finance organizations in APAC.
## Tools & Infrastructure
* **Malware Families:**
* **Golden Gh0st RAT:** A modified version of Gh0st RAT (aka Farfli).
* **Golden Gh0st Loader:** The delivery mechanism for the RAT.
* **RONINGLOADER:** A multi-stage loader.
* **Zhong Stealer:** An overlapping malware family documented in early 2025.
* **Infrastructure:**
* Uses authenticated customer-support portals to pivot into internal systems.
* **Defanged References:** `bugzilla.mozilla[.]org/show_bug.cgi?id=2033170` (incident report).
## Implications
CylindricalCanine represents a sophisticated cybercrime threat that has evolved from targeting individual users in the gaming sector to compromising critical trust infrastructure (DigiCert). By obtaining the ability to sign malware with legitimate EV certificates, they degrade the efficacy of "trusted" software ecosystems. Their focus on the "human element" in support roles highlights a significant vulnerability in the trust chain of service providers.
## Mitigations
* **Support Channel Security:** Implement file-type restrictions on customer-facing chat portals (e.g., blocking `.scr`, `.exe`, or `.zip` files).
* **Identity & Access Management:** Enforce strict session isolation for support analysts accessing customer account views to prevent the harvesting of initialization or authorization codes.
* **Endpoint Monitoring:** Monitor for the execution of NSIS installers and `.scr` files from unusual directories (e.g., Temp or Downloads).
* **Certificate Auditing:** Regularly audit the issuance and use of code-signing certificates, looking for anomalies in the request process or suspicious signing activity.
* **Security Awareness:** Specialized training for support staff regarding social engineering via chat and the risks of opening "customer-provided" troubleshooting files.