The DigiCert Breach That Exposed a Chinese Hacker Subgroup's Code-Signing Theft
Michael Miller Β·
Listen to this article~5 min
Learn how a Chinese hacker subgroup stole code-signing certificates from DigiCert, allowing them to disguise malware as trusted software. Security implications explained.
Cybersecurity researchers have uncovered a troubling connection between a major security incident at DigiCert and a threat group they're calling CylindricalCanine. This isn't just another data breach β it involves stolen code-signing certificates that could let attackers disguise malware as legitimate software.
### What Actually Happened at DigiCert?
In April 2026, DigiCert, one of the internet's most trusted certificate authorities, suffered a security incident. At first glance, it looked like a sophisticated attack on a company that issues digital certificates used to verify software authenticity and secure online communications. But the deeper story is far more concerning.
Security firm Expel dug into the details and linked the breach to a subgroup of a well-known Chinese cybercrime operation called GoldenEyeDog. You might know this group by other names: APT-Q-27, Dragon Breath, or Miuuti Group. They've been active for years, primarily targeting the gambling and gaming industries. But this latest move shows they're expanding their playbook.
### Why Code-Signing Certificates Matter
Think of code-signing certificates like a digital signature. When you download software, these certificates tell your computer that the program comes from a verified source and hasn't been tampered with. If attackers steal these certificates, they can sign their malicious code with a trusted stamp. Your antivirus software sees that stamp and gives it a pass, thinking it's safe.
- Stolen certificates let malware bypass security checks
- They make phishing sites look legitimate
- Attackers can update signed malware without triggering alarms
This isn't just a theoretical risk. We've seen similar attacks before, like the 2020 SolarWinds breach where signed updates spread malware to thousands of organizations. The CylindricalCanine group seems to be following that same playbook, but with a focus on code-signing rather than software updates.
### Who Is CylindricalCanine?
Expel describes CylindricalCanine as a subgroup of GoldenEyeDog. GoldenEyeDog has been around since at least 2020, known for stealing credentials and deploying remote access trojans. They typically go after online gambling platforms and gaming companies, often using phishing emails and watering hole attacks.
What makes this subgroup different is their technical sophistication. Stealing code-signing certificates from a company like DigiCert requires significant resources and planning. It suggests they've evolved beyond simple phishing into more advanced operations.
> "This group has moved from targeting casinos to targeting the infrastructure that secures the internet itself," one researcher noted.
### The Bigger Picture for Security Teams
For professionals working in cybersecurity, this breach is a wake-up call. If certificate authorities can be compromised, then no software can be trusted by default. Here's what security teams should consider:
- **Revoke and rotate**: Any certificates issued around April 2026 should be treated as potentially compromised
- **Monitor certificate transparency logs**: Look for unexpected certificates signed by DigiCert during that period
- **Update trust stores**: Ensure your systems have the latest revocation lists
- **User education**: Remind employees that signed software doesn't automatically mean safe software
### What Comes Next?
The full impact of this breach is still unfolding. DigiCert has likely revoked affected certificates and is working with law enforcement. But the stolen certificates could be used for months or even years before they expire. Attackers might sell them on dark web markets or use them in targeted attacks against high-value organizations.
For now, the best defense is vigilance. If you're responsible for software security in your organization, check your certificate inventory and make sure you're not using any certificates that might have been compromised. And keep an eye on Expel's research β they're likely to release more details as their investigation continues.
This incident shows that cybercriminals are becoming more creative in how they exploit trust. By stealing code-signing certificates, they're not just breaking into systems β they're breaking the trust that makes the internet work.