Advertisement
Cyber Crime

DigiCert Breach Highlights Trust Gap

A Chinese sub-group's infiltration of DigiCert reveals how stolen code-signing certificates are weaponized against the industry.

··1 hour ago·2 min read
A security and privacy dashboard with its status.
Photo by Zulfugar Karimov on Unsplash
Advertisement

The security architecture of the digital world relies heavily on the concept of identity validation, yet a sophisticated breach at a major certificate authority has exposed a vulnerability that fundamentally undermines that trust. By compromising internal support portals, threat actors did more than just steal data; they gained the ability to impersonate legitimate software developers by leveraging compromised code-signing infrastructure.

The Anatomy of the Infiltration

The intrusion, linked to a subgroup of the GoldenEyeDog hacking cluster known as CylindricalCanine, demonstrates a high level of operational patience. Rather than brute-forcing external perimeter defenses, the attackers manipulated the very communication channels intended to provide customer support. By sending a ZIP file disguised as a support-related screenshot, the threat actor secured initial access to analyst workstations, effectively bypassing standard authentication barriers.

In April 2026, GoldenEyeDog used their malware to access a support member's device at DigiCert, a code-signing certificate provider, and leveraged their access to steal certificates intended for DigiCert customers.

— Aaron Walton, security researcher at Expel

Once inside the environment, the attackers utilized an internal portal function designed to assist customers, which allowed them to extract initialization codes. These codes, when combined with approved orders, provided the keys needed to issue valid EV Code Signing certificates. This allowed the actors to sign their own malicious payloads, including the Zhong Stealer malware, with legitimate credentials that would bypass most traditional security software.

Operational Patterns and Tooling

The campaign relies on a specialized version of the Gh0st RAT, modified into what researchers call Golden Gh0st RAT. This modular payload is distributed via a multi-stage process, often masquerading as common enterprise software or innocuous documents. The sophisticated DLL side-loading chain ensures that the malicious activity remains hidden behind legitimate processes while displaying decoy errors to the user to mask the execution.

  • 60 certificates were revoked by the company following the incident.
  • 27 of the revoked certificates were explicitly linked to the threat actor.
  • 2015 is the year GoldenEyeDog (also known as APT-Q-27) began its known activity.
  • 2026-04-02 was the date the initial phishing attack occurred via a customer chat channel.

Consequences for Software Integrity

This incident serves as a stark reminder that the security of a software supply chain is only as robust as the support systems managing its most sensitive assets. When a certificate authority's internal initialization codes can be exposed through a proxied support session, the entire model of trust-based verification is jeopardized. For organizations, the implication is clear: even with stringent code-signing policies, internal support portals must be treated as high-value, high-risk assets that require strict behavioral monitoring and access control, specifically to prevent attackers from mimicking legitimate support personnel to facilitate data theft.

#cybersecurity#digicert#malware#supply chain#data breach

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement