Cybersecurity firm Expel has attributed the April 2026 DigiCert security incident to CylindricalCanine, a specialized subgroup operating under the broader GoldenEyeDog threat cluster. The breach, which resulted in the theft of critical code-signing certificates, signals a calculated escalation by the adversary toward foundational internet trust infrastructure.
Operating under aliases such as APT-Q-27, Dragon Breath, and Miuuti Group, GoldenEyeDog has historically focused its operations on the gambling and gaming sectors. CylindricalCanine’s pivot to compromise a major Certificate Authority (CA) like DigiCert marks a deliberate strategic shift. As a primary issuer of SSL/TLS and code-signing certificates, DigiCert underpins the identity verification mechanisms for countless enterprise applications and public web services globally.
Technical analysis from Expel confirms the stolen credentials were actively weaponized to sign "Zhong Stealer," a data-harvesting malware family. In response to the compromise, DigiCert revoked 60 affected certificates to halt unauthorized distribution. Despite these immediate mitigations, the incident underscores severe supply-chain vulnerabilities: by signing malicious payloads with legitimate certificates, threat actors can disguise malware as trusted software updates, routinely bypassing endpoint security controls and exploiting established user trust.
Compromising a central trust anchor like DigiCert creates cascading risks across the global software ecosystem. When a major certificate authority is breached, the integrity of digital identity validation is fundamentally undermined, forcing organizations to reassess the authenticity of software updates and encrypted communications. This incident highlights how foundational infrastructure remains a high-value target for adversaries seeking to erode trust at scale.
Expel’s attribution to a dedicated subgroup points to a well-resourced, operationally mature campaign. The transition from niche sector targeting to compromising foundational internet infrastructure demonstrates a clear intent to secure long-term, scalable access across diverse environments. Rather than an isolated event, this breach confirms that supply-chain and trust-exploitation campaigns are actively being optimized by organized threat actors for maximum strategic impact.
網絡安全公司 Expel 將 2026 年 4 月發生的 DigiCert 安全事件歸因於 CylindricalCanine,該組織為 GoldenEyeDog 威脅集群下的一個專門子組織。此次入侵導致關鍵的代碼簽署證書遭竊,顯示攻擊者正有計劃地將目標升級至互聯網基礎信任設施。
GoldenEyeDog 曾使用 APT-Q-27、Dragon Breath 及 Miuuti Group 等別名,過往主要針對賭博及遊戲行業展開行動。CylindricalCanine 轉而入侵 DigiCert 等主要證書頒發機構(CA),標誌著其戰略出現明確轉變。作為 SSL/TLS 及代碼簽署證書的主要簽發機構,DigiCert 支撐著全球無數企業應用軟件及公共網絡服務的身份驗證機制。
Expel 的技術分析證實,遭竊的憑證已被積極武器化,用於簽署名為「Zhong Stealer」的數據收集惡意軟件家族。為應對此次入侵,DigiCert 已撤銷 60 張受影響的證書,以阻止未經授權的分發。儘管已採取即時緩解措施,此事件仍突顯嚴重的供應鏈漏洞:攻擊者利用合法證書簽署惡意 payload,可將惡意軟件偽裝成受信任的軟件更新,此手法慣常能繞過端點安全控制並利用既有用戶信任。
入侵 DigiCert 這類核心信任錨點,將在全球軟件生態系統中引發連鎖風險。當主要證書頒發機構遭入侵,數碼身份驗證的完整性將受到根本性破壞,迫使企業重新審視軟件更新及加密通訊的真實性。此事件反映基礎設施仍是攻擊者意圖大規模削弱信任的高價值目標。
Expel 將事件歸因於專門子組織,顯示這是一場資源充裕且運作成熟的攻擊行動。攻擊目標由特定行業轉向入侵互聯網基礎設施,清楚表明其意圖在於取得跨越多種環境的長期及可擴展存取權限。此次入侵並非孤立事件,而是證實有組織的威脅行為者正積極優化供應鏈及信任利用攻擊,以追求最大的戰略效益。
