Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Introducing CylindricalCanine: The GoldenEyeDog subgroup responsible for the April DigiCert incident

0
Medium
Published: 07/16/2026 (07/16/2026, 02:29:54 UTC)
Source: AlienVault OTX General

Description

The CylindricalCanine subgroup of the Chinese cybercrime group GoldenEyeDog has been active since 2015, targeting primarily finance organizations in the Asia Pacific region. In April 2026, they compromised a DigiCert support member's device to steal code-signing certificates, which were then used to sign their malware. Their malware employs DLL sideloading, custom WebSocket protocols for command and control, and includes capabilities such as remote access, credential theft, keylogging, SOCKS proxy tunneling, and RDP backdoor creation. The group uses legitimate executables to load malicious DLLs that decrypt payloads disguised as log files. This threat leverages stolen legitimate certificates to bypass Windows SmartScreen protections since 2024.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/16/2026, 10:32:34 UTC

Technical Analysis

GoldenEyeDog is a Chinese cybercrime group active since 2015, with a subgroup named CylindricalCanine that uses modified versions of the 2008 Gh0st RAT malware (Golden Gh0st Loader and Golden Gh0st RAT). In April 2026, CylindricalCanine compromised a DigiCert support member's device to steal code-signing certificates intended for customers. These stolen certificates were used to sign malware, enabling it to bypass Windows SmartScreen. The malware uses DLL sideloading techniques and custom WebSocket protocols for command and control. Its capabilities include remote access, credential theft, keylogging, SOCKS proxy tunneling, and creating RDP backdoors. The group consistently uses legitimate executables to load malicious DLLs that decrypt payloads from files disguised as logs. The primary targets are finance organizations in the Asia Pacific region, and infection vectors include phishing campaigns.

Potential Impact

The compromise of DigiCert code-signing certificates allows CylindricalCanine to sign malware with legitimate certificates, increasing the likelihood of successful delivery and execution by bypassing Windows SmartScreen protections. The malware's capabilities enable attackers to gain persistent remote access, steal credentials, log keystrokes, tunnel network traffic via SOCKS proxies, and establish RDP backdoors, posing significant risks to confidentiality, integrity, and availability of targeted systems. The focus on finance organizations in the Asia Pacific region indicates targeted financial espionage and potential fraud or theft.

Mitigation Recommendations

No official patch or remediation is indicated for this threat. Organizations should be aware that the attackers use stolen legitimate code-signing certificates, which complicates detection based on signature trust alone. Mitigation should focus on enhancing phishing defenses, monitoring for suspicious DLL sideloading activities, and network traffic anomalies related to custom WebSocket communications. Incident response teams should validate the integrity of code-signing certificates and consider revocation of compromised certificates by DigiCert. Since this is an active threat leveraging stolen certificates, vigilance in endpoint detection and response is critical.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://expel.com/blog/introducing-cylindricalcanine/"]
Adversary
CylindricalCanine
Pulse Id
6a584222408c03d24cc2103d
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash1abffe97aafe9916b366da57458a78338598cab9742c2d9e03e4ad0ba11f29bf
hash4eaebd93e23be3427d4c1349d64bef4b5fc455c93aebb9b5b752981e9266488e
hashdd44dabff536a1aa9b845dd891ad483162d4f28913344c93e5d59f648a186098
hash54def291b6bd573186734895b7ed03b6
hash639b0dd0fe4da3f4743de6347d7d58b7
hashefe7a351491008a2ccb6b5d586904aba
hashf04ccc9a18dc71ccc4d4b1f651d3d0d2af8ab402
hashf1888d0b44e5e1d5864ca5a9e93bf65c09411320
hash2031a71c399563adaf1572e10abb395387eb132208a001c5e140496d7a3e0b26
hash27b722c66f69e360c4da106daacf3b9eeaabd20634d7e5eff45a28bd70ebfd65
hash2b0071007c3f5fa8e949a8de53be03e97901dd505694ca939b575a49e4fdbdbb
hash3313f347e83aaf48ea31fb1d49fc37452f48f81d20a1b93009e2e78385ff4bba
hash81e276aaa3eb9b3f595663c316b3c6414cc3dde5e6cc3a82856b7276acabb7de
hash8a913610e905c3dd1f657811ea3b1933471b230f88e1c155616099a03ab0abc0
hashd1b1938963037aa332591a4c999523a05886d1f62d80e03f0adc22630b8671c4
hashf67de637fca127212dc60b9a02f74e66dbd602b3b9f6f6e4f2b75614c1f9e944

Url

ValueDescriptionCopy
urlhttp://uu.goldeyeuu.io:5188
urlhttp://api.keensie.com:5198
urlhttp://wk.goldeyeuu.io:5188

Threat ID: 6a58afc168715ace43cee4c4

Added to database: 07/16/2026, 10:17:37 UTC

Last enriched: 07/16/2026, 10:32:34 UTC

Last updated: 07/16/2026, 16:53:35 UTC

Views: 12

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses