How a GoldenEyeDog Subgroup Stole DigiCert's Code-Signing Keys

ยท
Listen to this article~4 min
How a GoldenEyeDog Subgroup Stole DigiCert's Code-Signing Keys

Cybersecurity researchers attribute the April 2026 DigiCert breach to CylindricalCanine, a sub-group of GoldenEyeDog. Learn how this Chinese cybercrime group stole code-signing certificates and what it means for security.

Cybersecurity researchers have pinned the blame for the April 2026 DigiCert security incident on a new threat activity cluster they're calling CylindricalCanine. Expel, the security firm that first shared technical details of the breach, described this group as a sub-group of GoldenEyeDog. You might know GoldenEyeDog by other names like APT-Q-27, Dragon Breath, or Miuuti Group. It's a Chinese cybercrime outfit that's historically focused on the gambling and gaming sectors. But here's what makes this different: CylindricalCanine went after a certificate authority. That's a big deal. ### What Actually Happened at DigiCert? The breach, which took place in April 2026, involved the theft of code-signing certificates. For anyone not deep in cybersecurity, code-signing certificates are basically digital signatures that prove software hasn't been tampered with. When those get stolen, attackers can sign their malware as if it came from trusted companies like Microsoft or Google. Think of it like this: someone stole the official stamp of a notary public. Now they can make any document look legitimate. ### Why GoldenEyeDog's Subgroup Matters GoldenEyeDog has been around for years, mainly hitting online casinos and gaming platforms. Their usual playbook involves social engineering, phishing, and custom malware designed to steal credentials and financial data. But CylindricalCanine represents a shift. By targeting DigiCert, they're showing they can go after infrastructure that affects millions of users, not just individual businesses. This is a serious escalation in capability and ambition. ### The Impact on Code-Signing Security When code-signing certificates are compromised, the consequences ripple across the entire software ecosystem. Here's what that looks like: - Attackers can distribute malware that appears to be from legitimate companies - Users and businesses lose trust in digital signatures - Certificate authorities have to revoke and reissue thousands of certificates - Companies relying on code-signing for software updates face delays and costs DigiCert has confirmed it's working with law enforcement and has revoked the stolen certificates. But the damage is done. ### What You Can Do to Protect Yourself If you're a developer or a business that uses code-signing certificates, here are some steps to consider: - Use hardware security modules (HSMs) to store private keys offline - Enable multi-factor authentication on all certificate management accounts - Monitor certificate revocation lists regularly - Limit who has access to signing keys - Consider using short-lived certificates that expire quickly ### The Bigger Picture This breach is a reminder that no organization is immune. Even a trusted authority like DigiCert can be compromised. The cybercriminal ecosystem is evolving, and groups like GoldenEyeDog are branching out from their traditional targets. Staying ahead means treating every certificate and key as a potential attack vector. It means assuming that someone, somewhere, is already trying to steal them. And for the rest of us, it means being a little more skeptical of that software update that just popped up on our screens.