216.73.216.204

Introducing CylindricalCanine: The GoldenEyeDog subgroup responsible for the April DigiCert incident

· Published 16/07/2026 04:29

Export JSON

Essential information

Published
16/07/2026 04:29
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
cylindricalcanine gh0st rat golden gh0st loader golden gh0st rat goldeneyedog
Related entities
14 indicators, 3 observables, 1 intrusion sets (apt), 21 techniques (mitre), 5 malware

Description

Chinese cybercrime group GoldenEyeDog has been active since 2015, regularly updating malware and leveraging code-signing certificates to bypass Windows SmartScreen since 2024. A subgroup called CylindricalCanine uses Golden Gh0st Loader and Golden , modified versions of the 2008 , primarily targeting finance organizations in the Asia Pacific region through phishing campaigns. In April 2026, these actors compromised a DigiCert support member's device and stole code-signing certificates intended for customers, which they used to sign their own malware. The malware uses DLL sideloading, custom WebSocket protocols for command and control, and includes capabilities for remote access, credential theft, keylogging, SOCKS proxy tunneling, and RDP backdoor creation. Analysis reveals consistent tactics including using legitimate executables to load malicious DLLs that decrypt payloads from files disguised as logs.

External references