New threat intelligence has connected the April 2026 DigiCert security incident to CylindricalCanine, a subgroup of the GoldenEyeDog cybercrime operation. The incident is significant because the attackers were not merely seeking documents or account credentials. They targeted code-signing certificates, which can give malicious software a misleading appearance of legitimacy.
Support Access Became the Entry Point
The intrusion reportedly began when an attacker contacted DigiCert's support team through a customer chat channel and submitted a ZIP archive disguised as a screenshot. The archive contained a malicious screen-saver executable that compromised two support analyst workstations.
The attackers then abused a support portal feature that allowed authorized analysts to view customer accounts while assisting them. This access exposed initialization codes associated with approved but undelivered extended-validation code-signing certificate orders. Possession of those codes was functionally sufficient to complete certificate retrieval across a limited group of customer accounts.
DigiCert revoked 60 certificates associated with the incident. Researchers said 27 were directly connected to the threat actor and that some were used to sign Zhong Stealer malware. The company subsequently changed its platform to conceal initialization codes from proxied support sessions through both the user interface and API.
Why Signed Malware Is Dangerous
Code signing does not prove that software is harmless. It confirms who signed the file and whether it was altered afterward. However, users, administrators, security products, and application-control systems may place greater trust in properly signed executables. A stolen certificate can therefore help malware bypass warnings or survive initial inspection.
Defensive Priorities
- Isolate support personnel on hardened, privileged workstations.
- Block executable attachments and archives in customer-support channels.
- Require additional approval before certificate initialization or delivery.
- Monitor certificate transparency and reputation systems for unexpected issuance.
- Immediately investigate software signed with revoked or suspicious certificates.
I believe certificate authorities and other trust providers must treat support systems as part of their critical security perimeter. Support teams routinely receive files from strangers, yet they may also hold access capable of affecting customer identities and software trust. This combination makes them exceptionally attractive targets. Stronger file isolation, narrowly scoped support permissions, and independent verification of certificate delivery should become standard controls across the industry.
