Introducing CylindricalCanine: The GoldenEyeDog subgroup responsible for the April DigiCert incident
Essential information
- Published
- 16/07/2026 04:29
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- cylindricalcanine gh0st rat golden gh0st loader golden gh0st rat goldeneyedog
- Related entities
- 14 indicators, 3 observables, 1 intrusion sets (apt), 21 techniques (mitre), 5 malware
Description
Chinese cybercrime group GoldenEyeDog has been active since 2015, regularly updating malware and leveraging code-signing certificates to bypass Windows SmartScreen since 2024. A subgroup called CylindricalCanine uses Golden Gh0st Loader and Golden Gh0st RAT, modified versions of the 2008 Gh0st RAT, primarily targeting finance organizations in the Asia Pacific region through phishing campaigns. In April 2026, these actors compromised a DigiCert support member's device and stole code-signing certificates intended for customers, which they used to sign their own malware. The malware uses DLL sideloading, custom WebSocket protocols for command and control, and includes capabilities for remote access, credential theft, keylogging, SOCKS proxy tunneling, and RDP backdoor creation. Analysis reveals consistent tactics including using legitimate executables to load malicious DLLs that decrypt payloads from files disguised as logs.