DigiCert Breach Highlights Trust Gap
A Chinese sub-group's infiltration of DigiCert reveals how stolen code-signing certificates are weaponized against the industry.
The security architecture of the digital world relies heavily on the concept of identity validation, yet a sophisticated breach at a major certificate authority has exposed a vulnerability that fundamentally undermines that trust. By compromising internal support portals, threat actors did more than just steal data; they gained the ability to impersonate legitimate software developers by leveraging compromised code-signing infrastructure.
The Anatomy of the Infiltration
The intrusion, linked to a subgroup of the GoldenEyeDog hacking cluster known as CylindricalCanine, demonstrates a high level of operational patience. Rather than brute-forcing external perimeter defenses, the attackers manipulated the very communication channels intended to provide customer support. By sending a ZIP file disguised as a support-related screenshot, the threat actor secured initial access to analyst workstations, effectively bypassing standard authentication barriers.
In April 2026, GoldenEyeDog used their malware to access a support member's device at DigiCert, a code-signing certificate provider, and leveraged their access to steal certificates intended for DigiCert customers.
— Aaron Walton, security researcher at Expel
Once inside the environment, the attackers utilized an internal portal function designed to assist customers, which allowed them to extract initialization codes. These codes, when combined with approved orders, provided the keys needed to issue valid EV Code Signing certificates. This allowed the actors to sign their own malicious payloads, including the Zhong Stealer malware, with legitimate credentials that would bypass most traditional security software.
Operational Patterns and Tooling
The campaign relies on a specialized version of the Gh0st RAT, modified into what researchers call Golden Gh0st RAT. This modular payload is distributed via a multi-stage process, often masquerading as common enterprise software or innocuous documents. The sophisticated DLL side-loading chain ensures that the malicious activity remains hidden behind legitimate processes while displaying decoy errors to the user to mask the execution.
- 60 certificates were revoked by the company following the incident.
- 27 of the revoked certificates were explicitly linked to the threat actor.
- 2015 is the year GoldenEyeDog (also known as APT-Q-27) began its known activity.
- 2026-04-02 was the date the initial phishing attack occurred via a customer chat channel.
Consequences for Software Integrity
This incident serves as a stark reminder that the security of a software supply chain is only as robust as the support systems managing its most sensitive assets. When a certificate authority's internal initialization codes can be exposed through a proxied support session, the entire model of trust-based verification is jeopardized. For organizations, the implication is clear: even with stringent code-signing policies, internal support portals must be treated as high-value, high-risk assets that require strict behavioral monitoring and access control, specifically to prevent attackers from mimicking legitimate support personnel to facilitate data theft.
Continue Reading
Residential Proxies Undergo Scrutiny
Criminals are shifting from basic residential proxies to "clean" IP pools as defensive fraud detection systems become more sophisticated.
Government Ransomware Hits New Daily Low
New research confirms that public sector organizations now face a daily ransomware attack, highlighting a critical infrastructure crisis.
Job Search Lures Hide Stealthy Malware
North Korean threat actors are using fake coding tests and steganography to compromise developer systems and steal sensitive data.