Cybersecurity researchers have linked the April 2026 breach at DigiCert to a threat activity cluster tracked as CylindricalCanine. The attribution comes from Expel, which published technical details of the incident and connected the intrusion to a broader threat actor known as GoldenEyeDog.

GoldenEyeDog is also tracked under several aliases, including APT-Q-27, Dragon Breath, and Miuuti Group. The group is a Chinese cybercrime operation that has historically focused its efforts on the gambling and gaming sectors.

According to Expel, CylindricalCanine operates as a sub-group within the wider GoldenEyeDog structure. The distinction suggests a degree of internal specialization within the threat actor’s operations, with this particular cluster apparently responsible for the activity that resulted in the compromise at DigiCert.

Why the DigiCert Link Matters

DigiCert is a major certificate authority, and any breach touching its infrastructure raises immediate concerns around the potential theft or misuse of code-signing certificates. Compromised code-signing certificates are a high-value asset for threat actors because they can be used to sign malware in a way that helps it evade detection by endpoint security tools and bypass trust-based execution controls in operating systems.

While the full scope of what was accessed or exfiltrated during the incident has not been detailed in the available reporting, the attribution to a subgroup of a known Chinese cybercrime collective adds important context for defenders trying to understand the actors behind certificate authority compromises.

What Security Teams Should Watch

  • Monitor for unexpected or newly issued code-signing certificates tied to unfamiliar publishers
  • Review endpoint detection rules that rely solely on valid code-signing status as a trust signal
  • Track further disclosures from DigiCert and Expel regarding the scope of the incident
  • Watch for GoldenEyeDog/Dragon Breath tooling that may leverage stolen or fraudulently obtained certificates

As more details emerge, organizations that rely on DigiCert-issued certificates should stay alert for guidance on revocation or reissuance tied to this incident.