Introduction
The July 2026 breach of DigiCert represents a paradigm shift in supply chain security. A subgroup of the notorious GoldenEyeDog threat actor successfully infiltrated DigiCert’s infrastructure, exfiltrating proprietary code-signing certificates. This is not merely a data leak; it is an existential threat to the trust models underpinning Windows and enterprise environments globally.
By weaponizing these stolen certificates, GoldenEyeDog can sign their malware—ranging from custom backdoors to Cobalt Strike loaders—making them appear as legitimate, trustworthy software. Standard endpoint detection and response (EDR) solutions often whitelist signed binaries, creating a massive blind spot. Defenders must move beyond static allowlists and actively hunt for anomalies in binary trust and execution behavior. If you rely solely on the "Signed = Safe" heuristic, your visibility into this threat is effectively zero.
Technical Analysis
Affected Products & Platforms
While the breach occurred at a Certificate Authority (CA), the impact extends to all endpoint environments validating trust via the Microsoft Root Store:
- Windows 10/11 / Server 2019+: Primary target for signed malware execution.
- Enterprise Application Control (AppLocker/WDAC): Environments with weak "Publisher" rules are at highest risk.
- Code-Signing Certificates: Specifically, OV (Organization Validation) and EV (Extended Validation) certificates issued by DigiCert to legitimate software vendors, now in the hands of threat actors.
How the Attack Works
GoldenEyeDog’s attack chain leverages the inherent trust in the Public Key Infrastructure (PKI):
- Initial Compromise: GoldenEyeDog gains access to DigiCert’s issuance infrastructure or specific vendor accounts (likely via API abuse or credential theft).
- Certificate Theft: The actor exfiltrates private keys and the associated signing certificates for legitimate software vendors.
- Weaponization: The actor signs malicious payloads (DLL side-loading, executables, drivers) using the stolen certificate. The signature is cryptographically valid.
- Execution & Bypass: The malware is deployed to targets. Because the binary is signed by a trusted root (DigiCert), it bypasses SmartScreen alerts, AppLocker rules, and many EDR pre-filters.
- Objectives: Based on GoldenEyeDog’s historical TTPs, the goal is espionage, credential dumping, and establishing persistence within critical infrastructure sectors.
Exploitation Status
- Confirmed Active Exploitation: Yes. The Hacker News report confirms the certificates are already being used to sign malware in the wild.
- CISA KEV: Expected to be added imminently given the severity of the supply chain compromise.
Detection & Response
Detecting abuse of valid code-signing certificates requires shifting from looking at what the file is (hash/reputation) to how it behaves and where it runs. A signed malware dropper still exhibits the behaviors of an attacker: spawning shells, establishing network connections to non-standard C2 infrastructure, or residing in suspicious user directories.
Sigma Rules
The following Sigma rules target the discrepancy between a file's "Trusted" status and its suspicious execution context.
---
title: GoldenEyeDog - Signed Binary in Suspicious User Directory
id: 8a4b2c10-9d3e-4f5a-8b1c-2d3e4f5a6b7c
status: experimental
description: Detects validly signed binaries (specifically from major CAs) executing from user-writable directories. This is a common TTP when actors use stolen certs to drop malware in AppData or Temp.
references:
- https://thehackernews.com/2026/07/goldeneyedog-subgroup-linked-to.html
author: Security Arsenal
date: 2026/07/14
tags:
- attack.defense_evasion
- attack.t1059.001
- attack.s0189
logsource:
category: process_creation
product: windows
detection:
selection_sig:
SignatureStatus: 'Valid'
Signer|contains:
- 'DigiCert'
- 'Symantec'
selection_path:
Image|contains:
- '\\AppData\'
- '\\Temp\'
- '\\Downloads\'
filter_legit:
Image|contains:
- '\\Program Files\'
- '\\Program Files (x86)\'
- '\\Windows\\System32\'
condition: selection_sig and selection_path and not filter_legit
falsepositives:
- Legitimate software updates installing to temp directories
- Developer tools running from user profiles
level: high
---
title: GoldenEyeDog - Signed Binary Spawning Windows Script Host
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects a validly signed process spawning powershell.exe, wscript.exe, or cscript.exe. Malware signed with stolen certs often relies on \"Living Off The Land\" binaries after initial execution.
references:
- https://thehackernews.com/2026/07/goldeneyedog-subgroup-linked-to.html
author: Security Arsenal
date: 2026/07/14
tags:
- attack.execution
- attack.t1059.001
- attack.t1064
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentSignatureStatus: 'Valid'
ParentSigner|contains:
- 'DigiCert' # Adjust if specific compromised CA is known
selection_child:
Image|endswith:
- '\\powershell.exe'
- '\\pwsh.exe'
- '\\wscript.exe'
- '\\cscript.exe'
- '\\cmd.exe'
condition: selection_parent and selection_child
falsepositives:
- System administrators running scripts from signed management tools
- Installers triggering post-deployment scripts
level: medium
---
title: GoldenEyeDog - Network Connection from Signed Binary to Non-Standard Port
id: 9f8e7d6c-5b4a-3f2e-1d0c-9b8a7f6e5d4c
status: experimental
description: Detects network connections initiated by a validly signed binary to high-numbered ports or non-standard ports, indicative of C2 beaconing from signed malware.
references:
- https://thehackernews.com/2026/07/goldeneyedog-subgroup-linked-to.html
author: Security Arsenal
date: 2026/07/14
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
product: windows
detection:
selection:
SignatureStatus: 'Valid'
Signer|contains:
- 'DigiCert'
filter_standard_ports:
DestinationPort:
- 80
- 443
- 22
- 53
condition: selection and not filter_standard_ports
falsepositives:
- Legitimate software updates using CDNs on random ports
- P2P applications
level: low
KQL (Microsoft Sentinel / Defender)
Use this KQL query to hunt for processes that possess a valid signature but are running from locations typically abused by droppers.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where isnotempty(SignatureStatus) and SignatureStatus =~ \"Valid\"
| where Signer contains \"DigiCert\"
| where FolderPath !contains @\"\\Program Files\"
and FolderPath !contains @\"\\Windows\\System32\"
and FolderPath !contains @\"\\Windows\\SysWOW64\"
| where FolderPath contains @\"\\AppData\"
or FolderPath contains @\"\\Temp\"
or FolderPath contains @\"\\Downloads\"
| project Timestamp, DeviceName, FileName, FolderPath, Signer, SHA256, AccountName, InitiatingProcessFileName
| order by Timestamp desc
Velociraptor VQL
This VQL artifact hunts for executables in user profiles that are validly signed by the compromised issuer. This is a high-fidelity method to find "trusted" malware dropped into user directories.
-- Hunt for GoldenEyeDog signed binaries in user directories
SELECT
FullPath,
Size,
ModTime,
authenticode(FullPath).IssuerName AS Issuer,
authenticode(FullPath).SubjectName AS Subject,
authenticode(FullPath).SignatureState AS SigState
FROM glob(globs=\"C:\\Users\\*\\*.exe\")
WHERE SigState = \"Valid\"
AND Issuer =~ \"DigiCert\"
-- Exclude known legitimate paths to reduce noise
AND not FullPath =~ \"AppData\\\Local\\\Programs\"
AND not FullPath =~ \"AppData\\\Roaming\\\.*\\update\"
Remediation Script (PowerShell)
This script scans the C:\ drive for binaries signed by the specific compromised issuer (DigiCert) that are not located in standard protected directories. It outputs the findings for immediate IR triage.
<#
.SYNOPSIS
Hunt for GoldenEyeDog signed binaries in suspicious locations.
.DESCRIPTION
Scans for validly signed executables matching the DigiCert issuer
outside of standard Windows/Program Files paths.
#>
$LogPath = \"$env:USERPROFILE\\Desktop\\GoldenEyeDog_Hunt.log\"
$IssuerMatch = \"DigiCert\"
$SafePaths = @(
\"$env:SystemRoot\\System32\",
\"$env:SystemRoot\\SysWOW64\",
\"$env:ProgramFiles\",
\"$env:ProgramFiles(x86)\"
)
Write-Host \"[+] Initiating Hunt for Stolen Certificate Abuse...\" -ForegroundColor Cyan
Get-ChildItem -Path C:\ -Filter *.exe -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$FilePath = $_.FullName
# Skip protected paths to improve performance
if ($SafePaths | Where-Object { $FilePath -like \"$_*\" }) { return }
try {
$Sig = Get-AuthenticodeSignature -FilePath $FilePath
if ($Sig.Status -eq 'Valid' -and $Sig.SignerCertificate.Issuer -like \"*$IssuerMatch*\") {
$AlertMsg = \"[!] Suspicious Signed Binary: $FilePath | Subject: $($Sig.SignerCertificate.Subject)\"
Write-Host $AlertMsg -ForegroundColor Red
Add-Content -Path $LogPath -Value $AlertMsg
}
}
catch {
# Ignore access errors
}
}
Write-Host \"[+] Hunt Complete. Review logs at $LogPath\" -ForegroundColor Green
Remediation
Immediate containment and trust restoration are required to mitigate the impact of this CA breach.
-
Identify Compromised Certificates: Consult the official DigiCert security advisory (linked below) to identify the specific Subject Names and Serial Numbers of the stolen certificates.
-
Update Certificate Trust Lists (CTL):
- Ensure Windows Update is enabled on all endpoints to receive the automatic revocation of the compromised certificates via the Microsoft Root Store.
- For air-gapped systems, manually import the updated CTLs provided by Microsoft.
-
Enforce Application Control Policies:
- Immediate: Move from "Allow Any Signed" to specific "Allow Publisher" rules where possible.
- Long-term: Implement Windows Defender Application Control (WDAC) in Audit Mode initially, then Enforced Mode, requiring explicit approval for specific code-signing certificates rather than trusting the entire DigiCert root implicitly.
-
Network Segregation: If internal tools utilize the compromised certificates, segment those systems immediately until they can be re-signed with valid, uncompromised keys.
-
Hunt for Persistence: Use the provided scripts to hunt for the existence of binaries signed with the stolen certificates in user directories (
AppData,Temp) and startup folders.
Official Advisory:
- DigiCert Security Advisory (July 2026): [To be released client-side via vendor portal]
- CISA Alert (Expected): AA26-XXXA
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.