Menu
Browse

Cyber Threat Actor: GoldenEyeDog

Actor Type Location Known Incidents
 Icon
Criminal
China
1 incident
Profile

GoldenEyeDog is the alias used to track a threat actor that has been linked to a series of incidents involving code‑signing certificate abuse. Public reporting indicates the actor is believed to operate from China, although no further details about its organizational structure have been released. The name GoldenEyeDog appears in security‑research discussions concerning the misuse of EV certificates. No other aliases have been publicly associated with this activity. The actor first came to attention in early 2026 when a security‑product false‑positive event coincided with a certificate‑authority breach.

In the reported incident, the actor gained initial access by sending a malicious ZIP file to a DigiCert support analyst, which led to the compromise of the analyst’s device. Using a support‑portal feature, the actor obtained initialization codes for approved extended‑validation code‑signing certificates. Those certificates were then used to sign various malware binaries, most notably the Zhong Stealer malware. The signed malware was distributed to targets that include technology vendors such as Lenovo, Kingston, Shuttle Inc and Palit Microsystems. The abuse resulted in the revocation of sixty code‑signing certificates, twenty‑seven of which were directly tied to the malicious files.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources