Introducing CylindricalCanine: The GoldenEyeDog subgroup responsible for the April DigiCert incident
The CylindricalCanine subgroup of the Chinese cybercrime group GoldenEyeDog has been active since 2015, targeting primarily finance organizations in the Asia Pacific region. In April 2026, they compromised a DigiCert support member's device to steal code-signing certificates, which were then used to sign their malware. Their malware employs DLL sideloading, custom WebSocket protocols for command and control, and includes capabilities such as remote access, credential theft, keylogging, SOCKS proxy tunneling, and RDP backdoor creation. The group uses legitimate executables to load malicious DLLs that decrypt payloads disguised as log files. This threat leverages stolen legitimate certificates to bypass Windows SmartScreen protections since 2024.
AI Analysis
Technical Summary
GoldenEyeDog is a Chinese cybercrime group active since 2015, with a subgroup named CylindricalCanine that uses modified versions of the 2008 Gh0st RAT malware (Golden Gh0st Loader and Golden Gh0st RAT). In April 2026, CylindricalCanine compromised a DigiCert support member's device to steal code-signing certificates intended for customers. These stolen certificates were used to sign malware, enabling it to bypass Windows SmartScreen. The malware uses DLL sideloading techniques and custom WebSocket protocols for command and control. Its capabilities include remote access, credential theft, keylogging, SOCKS proxy tunneling, and creating RDP backdoors. The group consistently uses legitimate executables to load malicious DLLs that decrypt payloads from files disguised as logs. The primary targets are finance organizations in the Asia Pacific region, and infection vectors include phishing campaigns.
Potential Impact
The compromise of DigiCert code-signing certificates allows CylindricalCanine to sign malware with legitimate certificates, increasing the likelihood of successful delivery and execution by bypassing Windows SmartScreen protections. The malware's capabilities enable attackers to gain persistent remote access, steal credentials, log keystrokes, tunnel network traffic via SOCKS proxies, and establish RDP backdoors, posing significant risks to confidentiality, integrity, and availability of targeted systems. The focus on finance organizations in the Asia Pacific region indicates targeted financial espionage and potential fraud or theft.
Mitigation Recommendations
No official patch or remediation is indicated for this threat. Organizations should be aware that the attackers use stolen legitimate code-signing certificates, which complicates detection based on signature trust alone. Mitigation should focus on enhancing phishing defenses, monitoring for suspicious DLL sideloading activities, and network traffic anomalies related to custom WebSocket communications. Incident response teams should validate the integrity of code-signing certificates and consider revocation of compromised certificates by DigiCert. Since this is an active threat leveraging stolen certificates, vigilance in endpoint detection and response is critical.
Indicators of Compromise
- hash: 1abffe97aafe9916b366da57458a78338598cab9742c2d9e03e4ad0ba11f29bf
- hash: 4eaebd93e23be3427d4c1349d64bef4b5fc455c93aebb9b5b752981e9266488e
- hash: dd44dabff536a1aa9b845dd891ad483162d4f28913344c93e5d59f648a186098
- url: http://uu.goldeyeuu.io:5188
- url: http://api.keensie.com:5198
- hash: 54def291b6bd573186734895b7ed03b6
- hash: 639b0dd0fe4da3f4743de6347d7d58b7
- hash: efe7a351491008a2ccb6b5d586904aba
- hash: f04ccc9a18dc71ccc4d4b1f651d3d0d2af8ab402
- hash: f1888d0b44e5e1d5864ca5a9e93bf65c09411320
- hash: 2031a71c399563adaf1572e10abb395387eb132208a001c5e140496d7a3e0b26
- hash: 27b722c66f69e360c4da106daacf3b9eeaabd20634d7e5eff45a28bd70ebfd65
- hash: 2b0071007c3f5fa8e949a8de53be03e97901dd505694ca939b575a49e4fdbdbb
- hash: 3313f347e83aaf48ea31fb1d49fc37452f48f81d20a1b93009e2e78385ff4bba
- hash: 81e276aaa3eb9b3f595663c316b3c6414cc3dde5e6cc3a82856b7276acabb7de
- hash: 8a913610e905c3dd1f657811ea3b1933471b230f88e1c155616099a03ab0abc0
- hash: d1b1938963037aa332591a4c999523a05886d1f62d80e03f0adc22630b8671c4
- hash: f67de637fca127212dc60b9a02f74e66dbd602b3b9f6f6e4f2b75614c1f9e944
- url: http://wk.goldeyeuu.io:5188
Introducing CylindricalCanine: The GoldenEyeDog subgroup responsible for the April DigiCert incident
Description
The CylindricalCanine subgroup of the Chinese cybercrime group GoldenEyeDog has been active since 2015, targeting primarily finance organizations in the Asia Pacific region. In April 2026, they compromised a DigiCert support member's device to steal code-signing certificates, which were then used to sign their malware. Their malware employs DLL sideloading, custom WebSocket protocols for command and control, and includes capabilities such as remote access, credential theft, keylogging, SOCKS proxy tunneling, and RDP backdoor creation. The group uses legitimate executables to load malicious DLLs that decrypt payloads disguised as log files. This threat leverages stolen legitimate certificates to bypass Windows SmartScreen protections since 2024.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
GoldenEyeDog is a Chinese cybercrime group active since 2015, with a subgroup named CylindricalCanine that uses modified versions of the 2008 Gh0st RAT malware (Golden Gh0st Loader and Golden Gh0st RAT). In April 2026, CylindricalCanine compromised a DigiCert support member's device to steal code-signing certificates intended for customers. These stolen certificates were used to sign malware, enabling it to bypass Windows SmartScreen. The malware uses DLL sideloading techniques and custom WebSocket protocols for command and control. Its capabilities include remote access, credential theft, keylogging, SOCKS proxy tunneling, and creating RDP backdoors. The group consistently uses legitimate executables to load malicious DLLs that decrypt payloads from files disguised as logs. The primary targets are finance organizations in the Asia Pacific region, and infection vectors include phishing campaigns.
Potential Impact
The compromise of DigiCert code-signing certificates allows CylindricalCanine to sign malware with legitimate certificates, increasing the likelihood of successful delivery and execution by bypassing Windows SmartScreen protections. The malware's capabilities enable attackers to gain persistent remote access, steal credentials, log keystrokes, tunnel network traffic via SOCKS proxies, and establish RDP backdoors, posing significant risks to confidentiality, integrity, and availability of targeted systems. The focus on finance organizations in the Asia Pacific region indicates targeted financial espionage and potential fraud or theft.
Mitigation Recommendations
No official patch or remediation is indicated for this threat. Organizations should be aware that the attackers use stolen legitimate code-signing certificates, which complicates detection based on signature trust alone. Mitigation should focus on enhancing phishing defenses, monitoring for suspicious DLL sideloading activities, and network traffic anomalies related to custom WebSocket communications. Incident response teams should validate the integrity of code-signing certificates and consider revocation of compromised certificates by DigiCert. Since this is an active threat leveraging stolen certificates, vigilance in endpoint detection and response is critical.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://expel.com/blog/introducing-cylindricalcanine/"]
- Adversary
- CylindricalCanine
- Pulse Id
- 6a584222408c03d24cc2103d
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash1abffe97aafe9916b366da57458a78338598cab9742c2d9e03e4ad0ba11f29bf | — | |
hash4eaebd93e23be3427d4c1349d64bef4b5fc455c93aebb9b5b752981e9266488e | — | |
hashdd44dabff536a1aa9b845dd891ad483162d4f28913344c93e5d59f648a186098 | — | |
hash54def291b6bd573186734895b7ed03b6 | — | |
hash639b0dd0fe4da3f4743de6347d7d58b7 | — | |
hashefe7a351491008a2ccb6b5d586904aba | — | |
hashf04ccc9a18dc71ccc4d4b1f651d3d0d2af8ab402 | — | |
hashf1888d0b44e5e1d5864ca5a9e93bf65c09411320 | — | |
hash2031a71c399563adaf1572e10abb395387eb132208a001c5e140496d7a3e0b26 | — | |
hash27b722c66f69e360c4da106daacf3b9eeaabd20634d7e5eff45a28bd70ebfd65 | — | |
hash2b0071007c3f5fa8e949a8de53be03e97901dd505694ca939b575a49e4fdbdbb | — | |
hash3313f347e83aaf48ea31fb1d49fc37452f48f81d20a1b93009e2e78385ff4bba | — | |
hash81e276aaa3eb9b3f595663c316b3c6414cc3dde5e6cc3a82856b7276acabb7de | — | |
hash8a913610e905c3dd1f657811ea3b1933471b230f88e1c155616099a03ab0abc0 | — | |
hashd1b1938963037aa332591a4c999523a05886d1f62d80e03f0adc22630b8671c4 | — | |
hashf67de637fca127212dc60b9a02f74e66dbd602b3b9f6f6e4f2b75614c1f9e944 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://uu.goldeyeuu.io:5188 | — | |
urlhttp://api.keensie.com:5198 | — | |
urlhttp://wk.goldeyeuu.io:5188 | — |
Threat ID: 6a58afc168715ace43cee4c4
Added to database: 07/16/2026, 10:17:37 UTC
Last enriched: 07/16/2026, 10:32:34 UTC
Last updated: 07/16/2026, 16:53:35 UTC
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.