{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/code-signing-certificates-issued-by-gogetssl/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["GoldenEyeDog"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Code Signing Certificates (issued by DigiCert)","Code Signing Certificates (issued by GoGetSSL)","Code Signing Certificates (issued by Verokey)"],"_cs_severities":["high"],"_cs_tags":["code-signing-certificate-theft","supply-chain-attack","malware","rat","digicert","golden-gh0st-rat","apt-q-27","phishing","china"],"_cs_type":"threat","_cs_vendors":["DigiCert","GoGetSSL","Verokey"],"content_html":"\u003cp\u003eCylindricalCanine, a subgroup of the Chinese cybercrime group GoldenEyeDog (also known as APT-Q-27, Dragon Breath, and Miuuti Group), was responsible for the April 2026 security incident at DigiCert. GoldenEyeDog, active since at least 2015, is known for targeting the gambling and gaming sectors, using counterfeit websites to push malware-laced software. In the DigiCert breach, CylindricalCanine accessed a support member's device by delivering a malicious payload through a customer chat channel. This access was then leveraged to steal code-signing certificates, which were subsequently used to sign Golden Gh0st RAT malware. Golden Gh0st RAT, a modified version of Gh0st RAT, is delivered via Golden Gh0st Loader and sometimes through RONINGLOADER and NSIS installers disguised as legitimate programs like Google Chrome and Microsoft Teams. The threat actor focuses on finance organizations in the Asia-Pacific region, gambling, gaming, and customer support staff in Web3 companies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe threat actor contacted DigiCert's support team via a customer chat channel.\u003c/li\u003e\n\u003cli\u003eA ZIP file disguised as a customer screenshot, containing a malicious \u003ccode\u003e.scr\u003c/code\u003e executable payload, was delivered.\u003c/li\u003e\n\u003cli\u003eA DigiCert support analyst executed the malicious payload on their workstation, leading to system compromise.\u003c/li\u003e\n\u003cli\u003eThe threat actor gained unauthorized access to DigiCert's internal support portal through the compromised workstation.\u003c/li\u003e\n\u003cli\u003eA limited function within the support portal was exploited to access initialization codes for approved but pending EV Code Signing certificate orders.\u003c/li\u003e\n\u003cli\u003eApproximately 60 EV Code Signing certificates were obtained and stolen from DigiCert, GoGetSSL, and Verokey certificate authorities.\u003c/li\u003e\n\u003cli\u003eAt least 27 of the stolen certificates were weaponized by the threat actor to sign Golden Gh0st RAT and Zhong Stealer malware artifacts.\u003c/li\u003e\n\u003cli\u003eThe digitally signed Golden Gh0st RAT malware was then distributed through various means, including phishing emails and masquerading as legitimate software, to targeted organizations for further compromise and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe breach resulted in DigiCert revoking 60 code-signing certificates, with 27 explicitly linked to the threat actor and used to sign malware artifacts such as Zhong Stealer. This incident undermines trust in the code-signing infrastructure. Successful compromise by Golden Gh0st RAT can lead to extensive data theft from applications like Skype, Google Chrome, Mozilla Firefox, 360 Secure Browser, 360 Speed Browser, and Tencent QQ Browser. The malware establishes persistence, sets up SOCKS proxy tunnels, suppresses display output, logs keystrokes, takes screenshots, enumerates processes, executes shell commands, drops additional payloads, and clears Windows Event logs, enabling comprehensive control and surveillance of the victim's system. The primary targets include finance organizations in the Asia-Pacific region, as well as companies in the gambling, gaming, and Web3 sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEducate support staff on the risks of executing suspicious attachments, especially \u003ccode\u003e.scr\u003c/code\u003e executables, received through chat channels or emails to activate \u003ccode\u003eDetect Suspicious .scr Executable Execution\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection rules for unusual process activity, specifically focusing on \u003ccode\u003eDetect Windows Event Log Clearing by 'wevtutil cl'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict application allowlisting to prevent the execution of unauthorized \u003ccode\u003e.scr\u003c/code\u003e files or other executables that could lead to DLL side-loading.\u003c/li\u003e\n\u003cli\u003eReview and enhance access controls for internal portals, especially those granting access to sensitive functions like certificate issuance.\u003c/li\u003e\n\u003cli\u003eMonitor certificate transparency logs for newly issued or revoked certificates to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement proactive threat hunting for behaviors associated with Golden Gh0st RAT, such as keylogging, screen capture, and unusual outbound network connections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T17:29:34Z","date_published":"2026-07-17T17:29:34Z","id":"https://feed.craftedsignal.io/briefs/2026-07-goldeneyedog-digicert-breach/","summary":"CylindricalCanine, a subgroup of GoldenEyeDog, breached DigiCert in April 2026 by delivering a malicious executable via a customer chat channel, leading to the theft of code-signing certificates which were then used to sign Golden Gh0st RAT malware for distribution, primarily targeting finance organizations and the gambling and gaming sectors.","title":"GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft","url":"https://feed.craftedsignal.io/briefs/2026-07-goldeneyedog-digicert-breach/"}],"language":"en","title":"CraftedSignal Threat Feed - Code Signing Certificates (Issued by GoGetSSL)","version":"https://jsonfeed.org/version/1.1"}