<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>China - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/china/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 17:29:34 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/china/feed.xml" rel="self" type="application/rss+xml"/><item><title>GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft</title><link>https://feed.craftedsignal.io/briefs/2026-07-goldeneyedog-digicert-breach/</link><pubDate>Fri, 17 Jul 2026 17:29:34 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-goldeneyedog-digicert-breach/</guid><description>CylindricalCanine, a subgroup of GoldenEyeDog, breached DigiCert in April 2026 by delivering a malicious executable via a customer chat channel, leading to the theft of code-signing certificates which were then used to sign Golden Gh0st RAT malware for distribution, primarily targeting finance organizations and the gambling and gaming sectors.</description><content:encoded><![CDATA[<p>CylindricalCanine, a subgroup of the Chinese cybercrime group GoldenEyeDog (also known as APT-Q-27, Dragon Breath, and Miuuti Group), was responsible for the April 2026 security incident at DigiCert. GoldenEyeDog, active since at least 2015, is known for targeting the gambling and gaming sectors, using counterfeit websites to push malware-laced software. In the DigiCert breach, CylindricalCanine accessed a support member's device by delivering a malicious payload through a customer chat channel. This access was then leveraged to steal code-signing certificates, which were subsequently used to sign Golden Gh0st RAT malware. Golden Gh0st RAT, a modified version of Gh0st RAT, is delivered via Golden Gh0st Loader and sometimes through RONINGLOADER and NSIS installers disguised as legitimate programs like Google Chrome and Microsoft Teams. The threat actor focuses on finance organizations in the Asia-Pacific region, gambling, gaming, and customer support staff in Web3 companies.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The threat actor contacted DigiCert's support team via a customer chat channel.</li>
<li>A ZIP file disguised as a customer screenshot, containing a malicious <code>.scr</code> executable payload, was delivered.</li>
<li>A DigiCert support analyst executed the malicious payload on their workstation, leading to system compromise.</li>
<li>The threat actor gained unauthorized access to DigiCert's internal support portal through the compromised workstation.</li>
<li>A limited function within the support portal was exploited to access initialization codes for approved but pending EV Code Signing certificate orders.</li>
<li>Approximately 60 EV Code Signing certificates were obtained and stolen from DigiCert, GoGetSSL, and Verokey certificate authorities.</li>
<li>At least 27 of the stolen certificates were weaponized by the threat actor to sign Golden Gh0st RAT and Zhong Stealer malware artifacts.</li>
<li>The digitally signed Golden Gh0st RAT malware was then distributed through various means, including phishing emails and masquerading as legitimate software, to targeted organizations for further compromise and data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The breach resulted in DigiCert revoking 60 code-signing certificates, with 27 explicitly linked to the threat actor and used to sign malware artifacts such as Zhong Stealer. This incident undermines trust in the code-signing infrastructure. Successful compromise by Golden Gh0st RAT can lead to extensive data theft from applications like Skype, Google Chrome, Mozilla Firefox, 360 Secure Browser, 360 Speed Browser, and Tencent QQ Browser. The malware establishes persistence, sets up SOCKS proxy tunnels, suppresses display output, logs keystrokes, takes screenshots, enumerates processes, executes shell commands, drops additional payloads, and clears Windows Event logs, enabling comprehensive control and surveillance of the victim's system. The primary targets include finance organizations in the Asia-Pacific region, as well as companies in the gambling, gaming, and Web3 sectors.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Educate support staff on the risks of executing suspicious attachments, especially <code>.scr</code> executables, received through chat channels or emails to activate <code>Detect Suspicious .scr Executable Execution</code>.</li>
<li>Deploy endpoint detection rules for unusual process activity, specifically focusing on <code>Detect Windows Event Log Clearing by 'wevtutil cl'</code>.</li>
<li>Implement strict application allowlisting to prevent the execution of unauthorized <code>.scr</code> files or other executables that could lead to DLL side-loading.</li>
<li>Review and enhance access controls for internal portals, especially those granting access to sensitive functions like certificate issuance.</li>
<li>Monitor certificate transparency logs for newly issued or revoked certificates to identify suspicious activity.</li>
<li>Implement proactive threat hunting for behaviors associated with Golden Gh0st RAT, such as keylogging, screen capture, and unusual outbound network connections.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>code-signing-certificate-theft</category><category>supply-chain-attack</category><category>malware</category><category>rat</category><category>digicert</category><category>golden-gh0st-rat</category><category>apt-q-27</category><category>phishing</category><category>china</category></item></channel></rss>