Fast Facts
- CylindricalCanine exploited DigiCert support access to steal and use code-signing certificates, enabling the signing of malware like Zhong Stealer to evade detection.
- The threat actor used multi-stage loaders and DLL side-loading tactics via phishing emails delivering disguised payloads to deploy Golden Gh0st RAT for persistent data theft and system control.
- The attack involved unauthorized access to DigiCert’s support portal, allowing the theft of initialization codes and issuance of fraudulent certificates linked to malware deployment.
Threat, Techniques, and Targets
Cybersecurity researchers link the April 2026 DigiCert incident to the CylindricalCanine activity group, a subgroup of the Chinese cybercrime group GoldenEyeDog. This group is known for targeting the gambling, gaming, and finance sectors. They use malware to access devices and steal sensitive information. Their main tool is a modified Gh0st RAT, called Golden Gh0st RAT. This malware is delivered through a multi-stage loader called RONINGLOADER and disguised as legitimate software like Google Chrome or Microsoft Teams. The group also conducts phishing campaigns by sending links in emails that lead to malware downloads. The attack targets DigiCert’s staff and customers, especially those working in finance and Web3 companies. They focus on stealing code-signing certificates to sign their malware and avoid detection.
Impact, Security Implications, and Remediation Guidance
The DigiCert breach allowed CylindricalCanine to access and revoke certificates fraudulently. They used a support tool to obtain codes for certificates, which they then signed with their malware. DigiCert revoked 60 compromised certificates, 27 of which were linked to the threat actor. The stolen certificates were used to sign malicious code and malware like Zhong Stealer. The attack shows how threat actors can abuse code-signing certificates, which are meant to ensure trust. This can lead to widespread malware infections and damage reputations. DigiCert fixed their support portal by hiding initialization codes from compromised user accounts. For other organizations, it is best to follow specific guidance from DigiCert or relevant security vendors. They should review their certificate management procedures and check for signs of abuse or unauthorized access.
Discover More Technology Insights
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Stay inspired by the vast knowledge available on Wikipedia.
ThreatIntel-V1
