Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

The CylindricalCanine Menace: A Chinese Cybercrime Group's Daring Heist at DigiCert


Chinese cybercrime group CylindricalCanine has been linked to a recent DigiCert security incident, demonstrating its ability to breach even the most secure systems using modified versions of Gh0st RAT. The group's tactics involve distributing files disguised as screenshots in phishing emails, which trigger a DLL side-loading chain and ultimately lead to Golden Gh0st RAT.

  • CylindricalCanine, a sub-group of GoldenEyeDog (APT-Q-27), attributed to a recent DigiCert security incident.
  • DigiCert compromised by CylindricalCanine via code-signing certificates, allowing access to customer accounts and EV Code Signing certificates.
  • Golden Gh0st RAT used in phishing emails and submissions to support portals, with capabilities for persistence, data collection, and shell commands.
  • CylindricalCanine shares behavioral and tactical overlaps with other Chinese cybercrime groups targeting finance organizations in the Asia-Pacific region.



  • In a shocking turn of events, cybersecurity researchers have attributed a recent DigiCert security incident to a threat activity cluster dubbed CylindricalCanine, a sub-group of the notorious GoldenEyeDog (also known as APT-Q-27, Dragon Breath, and Miuuti Group). This Chinese cybercrime group has been known for its targeting of the gambling and gaming sectors using counterfeit websites to push malware-laced software since at least 2015.

    According to Expel security researcher Aaron Walton, in April 2026, GoldenEyeDog used their malware to access a support member's device at DigiCert, a code-signing certificate provider, and leveraged their access to steal certificates intended for DigiCert customers. This attack highlighted the capability of the malware and operators, demonstrating the group's ability to breach even the most secure systems.

    Central to the threat actor's operations is a modified version of Gh0st RAT (aka Farfli), a remote access trojan (RAT) widely used by Chinese hacking groups, including another prolific Chinese cybercrime group tracked as Silver Fox. The modular malware, referred to as Golden Gh0st RAT, is delivered by means of Golden Gh0st Loader.

    In a report published in November 2025, Elastic Security Labs detailed the adversary's use of a multi-stage loader codenamed RONINGLOADER to distribute a Gh0st RAT variant through NSIS installers masquerading as legitimate programs like Google Chrome and Microsoft Teams. Earlier this year, another campaign linked to the hacking group was observed orchestrating a multi-stage attack directed at customer support staff working for Web3 companies, using suspicious links sent via customer support chat to deliver Gh0st RAT.

    "These actors are using malware and targeting victims consistent with other Chinese cybercrime activity, including targeting finance organizations in the Asia-Pacific region," Expel said. "The malware targets finance organizations in the Asia-Pacific region." Golden Gh0st RAT shares behavioral and tactical overlaps with a payload detected by Chinese security vendor QiAnXin back in 2020 in connection with an attack campaign aimed at the gambling industry since 2019.

    The DigiCert Compromise

    In April 2026, CylindricalCanine was observed abusing code-signing certificates, gaining unauthorized access to DigiCert to intercept code-signing certificates intended for DigiCert customers, and then using them to sign their own malware to avoid detection. The company revealed that on April 2, 2026, a threat actor contacted DigiCert's support team via a customer chat channel and delivered a ZIP file disguised as a customer screenshot. The file contained a .scr executable with a malicious payload.

    "The threat actor used a limited function within the customer-support portal, which allows authenticated DigiCert support analysts to access customer accounts from the customer's perspective to facilitate support tasks," DigiCert explained at the time. "The threat actor was able to use this function to access initialization codes for orders that were approved but pending delivery for EV Code Signing certificate orders across a finite set of customer accounts."

    The fatal oversight here was that the possession of an initialization code, coupled with an approved order, was "functionally sufficient" to obtain EV Code Signing certificates across a set of customer accounts and CAs. The company revoked 60 certificates issued by the following CAs - DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1, DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1, and Verokey High Assurance Secure Code EV.

    Of these, 27 are said to have been explicitly linked to the threat actor, with the exploited certificates weaponized to sign Zhong Stealer malware artifacts. "The threat model did not account for the scenario in which initialization codes stored within DigiCert's internal support portal could be viewed by a compromised DigiCert analyst account operating through the portal function," the company explained.

    Attack Chains Lead to Golden Gh0st RAT

    Expel said the primary tactic of CylindricalCanine is to distribute files disguised as screenshots in phishing emails. The files are embedded within the messages in the form of a link that, when clicked, downloads additional payloads from an external server.

    The end goal of the attack is to trigger a DLL side-loading chain, leveraging a legitimate executable to run a rogue DLL, while simultaneously displaying a decoy PDF document displaying an HTTP 503 "Service Unavailable" error. The DLL then proceeds to load an encrypted payload ("update.log").

    The final stage is Golden Gh0st RAT, which comes with a wide array of capabilities to set up persistence, steal sensitive data, start a SOCKS proxy tunnel, suppress display output, log keystrokes, take screenshots, enumerate processes, execute shell commands, drop additional payloads, and clear Windows Event logs. Some of the applications it specifically targets for data collection include Skype, Google Chrome, Mozilla Firefox, 360 Secure Browser, 360 Speed Browser, and Tencent QQ Browser.

    The findings make CylindricalCanine the latest addition to a list of threat actors, such as Black Basta, TamperedChef (aka EvilAI), and Rhysida, that are known to abuse code-signing certificates in their cyber operations.

    "Golden Gh0st RAT is used primarily in phishing emails and/or submissions to support portals," Expel said. "As with all Gh0st RAT variants, the capability of the malware is handled through plugins and an internal module dispatcher."



    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-CylindricalCanine-Menace-A-Chinese-Cybercrime-Groups-Daring-Heist-at-DigiCert-ehn.shtml

  • https://thehackernews.com/2026/07/goldeneyedog-subgroup-linked-to.html

  • https://cybersixt.com/a/ltnr4qkAlH2mScGJ68cokW

  • https://www.cybersecurity-review.com/goldeneye-dogapt-q-27-gangs-recent-use-of-silver-fox-trojan-stealing-activities/

  • https://cybersecuritynews.com/apt-q-27-targeting-corporate-environments/


  • Published: Fri Jul 17 13:12:17 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us