Expel Attributes April 2026 DigiCert Breach to “CylindricalCanine” GoldenEyeDog Subgroup

A code-signing-integrity attribution against a Chinese cybercrime subgroup — and a prompt for supply-chain defenders to review how much trust their pipelines place in a valid signature.

Share
Editorial illustration of a signing seal lifted from a certificate vault, marking Expel's attribution of the DigiCert breach to the CylindricalCanine subgroup.

Key Takeaways

  • Expel published research on July 17, 2026 attributing the April 2026 DigiCert security incident to a threat activity cluster it dubs “CylindricalCanine,” which the firm characterizes as a subgroup of GoldenEyeDog — also tracked publicly as APT-Q-27, Dragon Breath, and Miuuti Group, and described as a Chinese cybercrime group.
  • The reported motive was code-signing certificate theft: DigiCert disclosed in April that it revoked 60 certificates after a threat actor obtained them through its internal support portal, and Expel reports that 27 of those were explicitly linked to the actor and used to sign malware.
  • The attribution itself is a single-vendor claim. DigiCert has publicly documented the incident and its remediation, but it has not publicly confirmed Expel's naming of the cluster, and it is not established whether authorities opened an investigation.

A certificate authority is the highest-leverage target in the software-trust chain — and Expel's attribution is a reminder that a valid signature is an assertion about issuance, not about intent.

HERNDON, VA. — Security firm Expel published research on July 17, 2026 attributing the April 2026 DigiCert security incident to a threat activity cluster it names “CylindricalCanine,” which the firm describes as a subgroup of GoldenEyeDog — an actor tracked publicly under the aliases APT-Q-27, Dragon Breath, and Miuuti Group, and characterized as a Chinese cybercrime group historically focused on the gambling and gaming sectors. The reported objective was the theft of code-signing certificates intended for DigiCert customers.

The attribution is Expel's own and should be read that way: a vendor assessment, not a settled or corroborated finding. The underlying incident is separately established — DigiCert publicly documented in April 2026 that it revoked certificates fraudulently obtained through its internal support portal, and described the control gap behind it. The combination is what makes this worth a defender's attention: not the cluster's identity, but the demonstration that the issuance layer of the software-trust chain is itself a target. Expel's analysis is published on the company's blog, and was first surfaced in wider reporting by The Hacker News.

At a Glance
FieldDetails
Cluster nameCylindricalCanine (Expel's designation)
Parent clusterGoldenEyeDog, aka APT-Q-27, Dragon Breath, Miuuti Group
CharacterizationChinese cybercrime group, publicly tracked as active since at least 2015
TargetDigiCert — code-signing certificate provider
Incident dateApril 2026; DigiCert disclosed the revocations at the time
Reported motiveTheft of code-signing certificates intended for DigiCert customers
Certificates revoked60, per DigiCert; Expel reports 27 explicitly linked to the actor
Attribution publishedJuly 17, 2026, by Expel
Not confirmedDigiCert's public position on the attribution; whether authorities opened an investigation

What Expel Documented

In research published on July 17, 2026, Expel introduced a threat activity cluster it tracks as CylindricalCanine and attributed the April 2026 DigiCert security incident to it. Expel security researcher Aaron Walton wrote that the actor accessed a support member's device at DigiCert, described as a code-signing certificate provider, and used that access to obtain certificates intended for DigiCert customers. The firm characterizes CylindricalCanine as a subgroup of GoldenEyeDog, the cluster also tracked as APT-Q-27, Dragon Breath, and Miuuti Group.

This publication does not reproduce the technical chain Expel documents; readers who need that detail should go to the firm's own write-up. What matters for a defender audience is narrower and more durable: a commercial certificate authority's support tier was the path, and certificates carrying a legitimate issuer's signature were the reported prize. It is also worth separating the classes of claim. The incident and the revocations are DigiCert's own public statements. The attribution to CylindricalCanine, and the placement of that cluster under GoldenEyeDog, are Expel's assessment.

The GoldenEyeDog / CylindricalCanine Cluster Context

GoldenEyeDog is publicly tracked as a Chinese cybercrime group and appears in vendor reporting under several names — APT-Q-27, Dragon Breath, and Miuuti Group — the usual result of multiple research teams naming overlapping activity independently. Public reporting describes the group as active since at least 2015 and historically oriented toward the gambling and gaming sectors, with Expel noting targeting of finance organizations in the Asia-Pacific region.

The “cybercrime” framing is doing real work there and should not be flattened into “nation-state.” Financially motivated Chinese-speaking crews and state-aligned espionage clusters draw on overlapping tooling, which makes clean separation hard from the outside; The CyberSignal's coverage of the FBI and Google action against a China-based cybercrime network and of espionage activity such as the Showboat telecom intrusions shows how differently the two behave once you look at objectives rather than toolmarks. Expel's placement of CylindricalCanine as a subgroup rather than a rebrand is a specific structural claim, and one no other vendor has publicly corroborated.

The Code-Signing-Certificate-Theft Framing in Defender Terms

A code-signing certificate is an assertion by a certificate authority that a given piece of software came from a validated organization. Operating systems, application allowlists, endpoint agents, and distribution pipelines all treat that assertion as a meaningful trust signal, and many treat it as a reason to reduce scrutiny. That is the point of the mechanism — and precisely why the issuance layer is high-leverage.

When certificates are obtained fraudulently but issued legitimately, the resulting signature is cryptographically valid. It verifies. Nothing in it distinguishes it from one earned through the intended process. The only correction available afterward is revocation, which depends on the certificate authority detecting the problem, publishing the revocation, and every relying system checking and honoring it — a chain with more slack in it than most trust models assume.

For supply-chain and platform teams, the practical reading is to audit where a valid signature currently short-circuits other controls. If signed binaries skip behavioral analysis or auto-satisfy an allowlist, the organization has outsourced a security decision to an issuance process it does not observe. That is the structural weakness The CyberSignal examined in Microsoft's takedown of a code-signing-as-a-service operation and in Shai-Hulud's generation of valid Sigstore provenance badges: the attestation is authentic, and the conclusion drawn from it is wrong.

DigiCert's Response and What to Watch For

DigiCert disclosed the incident publicly in April 2026 and documented its remediation. The company reported revoking 60 certificates issued across several of its certificate authorities after determining that an approved-but-undelivered order, combined with an order initialization code visible through an internal support-portal function, was functionally sufficient to obtain EV code-signing certificates for a finite set of customer accounts. DigiCert stated that its threat model had not accounted for that scenario, and that it has since deployed a change to mask initialization codes from proxied users across its E.U. and U.S. platforms.

Expel reports that 27 of the revoked certificates were explicitly linked to the threat actor, and that certificates from the incident were used to sign malware. That matters for the defender timeline: the window between fraudulent issuance and revocation is the interval during which downstream systems would have accepted those signatures as valid.

The watch items are straightforward. Whether DigiCert publicly addresses Expel's attribution is unresolved, as is whether any authority has opened an investigation. Independent corroboration of the CylindricalCanine designation would materially strengthen the assessment. Teams that ingest revocation data should confirm that checking is actually enforced rather than nominally configured.

Cross-Reference: Signing Trust Under Pressure Across Recent Coverage

This is the third recent pattern in which a platform's own trust-granting machinery was the enabling condition. In the CrashStealer macOS case, a notarized dropper carried Apple's own attestation past Gatekeeper. In the LabubaRAT campaign, impersonation of a major vendor's brand did the persuasive work a signature would otherwise do. The DigiCert incident sits one level upstream: rather than borrowing trust or imitating it, the reported objective was to obtain the instrument that confers it.

Read together, the three converge on a single limitation. Notarization, provenance badges, and code signatures each verify that a process was followed. None verifies intent. As more of the software pipeline automates decisions on the strength of those attestations, the value of subverting the issuance step rises accordingly, and the defensive answer has to be layered rather than binary.

Open Questions

Several items remain unresolved and should not be filled in by inference. It is not confirmed whether DigiCert has endorsed, disputed, or declined to comment on Expel's attribution; the company's April disclosure predates it and does not name a cluster. It is not established whether any law-enforcement or regulatory authority has opened an investigation. And Expel's structural claim — that CylindricalCanine is a subgroup of GoldenEyeDog rather than a separate or overlapping cluster — rests on one vendor's analysis.

What is established is enough to justify the work this article recommends. DigiCert has stated that it revoked 60 certificates obtained through its internal support portal and described the control change it made in response. Expel has published an attribution and reports that certificates from the incident were used to sign malware. For organizations whose pipelines treat a valid signature as a reason to look less closely, that warrants a review this week.


The CyberSignal Analysis

The reported facts above come from Expel's research and DigiCert's own public disclosure. What follows is The CyberSignal's editorial reading of what defenders should take from them — none of it is new reported fact.

Signal 01 — The Issuance Layer Is the Highest-Leverage Target in the Trust Chain

Most supply-chain defense treats the certificate authority as a fixed point — the thing you verify against. An incident at the issuance layer inverts that, because a fraudulently obtained certificate produces a signature that is genuinely valid, not forged. There is no cryptographic tell.

Our reading is that this makes certificate authorities structurally comparable to package registries and CI/CD platforms: infrastructure whose compromise propagates through everyone who trusts it, and whose support tiers deserve production-grade scrutiny. DigiCert's statement that its threat model had not accounted for the scenario is the candid version of a gap unlikely to be unique to it.

Signal 02 — Attribution Is the Least Actionable Part of This Story

The cluster name will circulate widely, and it changes the least about what any defender should do. Whether the activity is CylindricalCanine, GoldenEyeDog proper, or something another vendor names differently, the control review is identical: find where a valid signature suppresses other scrutiny, and add a layer there.

The alias sprawl is a caution rather than a curiosity — four names already attach to the parent cluster, and a fifth now attaches to the subgroup. Treat the attribution as one vendor's structural hypothesis: useful for tracking, unproven as a claim, and not the headline finding in an internal briefing where the certificate-trust exposure is the actionable item.

Signal 03 — Revocation Is a Weaker Backstop Than Most Trust Models Assume

Revocation is the only correction available once a certificate has been fraudulently issued, and it carries meaningful slack. It depends on detection, on publication, and on every relying system checking and honoring the revocation — and that last step is unevenly implemented across operating systems, endpoint tooling, and internal distribution pipelines.

Our assessment is that most organizations have never tested whether their environment would actually reject a revoked signing certificate, as distinct from having revocation checking notionally enabled. That test is cheap and specific, and this is a reasonable prompt to run it — the concrete work available while the attribution question stays open.


Sources

TypeSource
PrimaryExpel — Introducing CylindricalCanine
PrimaryDigiCert — Incident report and certificate revocations (Mozilla Bugzilla #2033170)
ReportingThe Hacker News — GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft
RelatedThe CyberSignal — Microsoft Took Down a Code-Signing-as-a-Service Operation
RelatedThe CyberSignal — Shai-Hulud Is Generating Valid Sigstore Provenance Badges
RelatedThe CyberSignal — CrashStealer's Notarized macOS Dropper and Gatekeeper
RelatedThe CyberSignal — LabubaRAT and NVIDIA Brand Impersonation