🇨🇳 CN2 malware families

GoldenEyeDog

Also known asgoldeneyedog

GoldenEyeDog, also referred to as APT-Q-27, is described in the provided content as a Chinese e-crime group. Security researchers linked GoldenEyeDog to the Zhong Stealer campaign, but the content explicitly states that attribution of GoldenEyeDog to the DigiCert breach itself remained unconfirmed. In the reported activity, stolen EV code-signing certificates were used to digitally sign Zhong Stealer payloads. The Zhong Stealer campaign is described as involving credential and cryptocurrency theft and behaving like a remote access trojan. Reported tradecraft associated in the content with the Zhong Stealer activity includes phishing and social-engineering lures using fake screenshots, first-stage decoy payloads, retrieval of additional malware from cloud services such as AWS, and use of digitally signed binaries to evade endpoint detection. Known alias in the content: APT-Q-27.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Software & Services

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

23 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics41 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

2 techniques

T1195

Supply Chain Compromise

T1566

Phishing

T1566.001

Spearphishing Attachment

T1566.002×2

Spearphishing Link

TA0002

Execution

2 techniques

T1204

User Execution

T1204.002

Malicious File

T1574

Hijack Execution Flow

T1574.001

DLL

TA0003

Persistence

3 techniques

T1112

Modify Registry

T1543

Create or Modify System Process

T1543.003×2

Windows Service

T1547

Boot or Logon Autostart Execution

T1547.001×2

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

3 techniques

T1543

Create or Modify System Process

T1543.003×2

Windows Service

T1547

Boot or Logon Autostart Execution

T1547.001×2

Registry Run Keys / Startup Folder

T1548

Abuse Elevation Control Mechanism

T1548.002

Bypass User Account Control

TA0005

Stealth

6 techniques

T1027

Obfuscated Files or Information

T1027.007

Dynamic API Resolution

T1036×2

Masquerading

T1036.004

Masquerade Task or Service

T1070

Indicator Removal

T1140

Deobfuscate/Decode Files or Information

T1574

Hijack Execution Flow

T1574.001

DLL

T1620×2

Reflective Code Loading

TA0112

Defense Impairment

2 techniques

T1112

Modify Registry

T1553

Subvert Trust Controls

T1553.002×3

Code Signing

TA0006

Credential Access

1 technique

T1056

Input Capture

T1056.001

Keylogging

TA0009

Collection

2 techniques

T1056

Input Capture

T1056.001

Keylogging

T1115

Clipboard Data

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1102

Web Service

T1102.001

Dead Drop Resolver

T1105×2

Ingress Tool Transfer

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

sims-4-updaterOn April 7, 2026, a new sample of the long-running malicious sims-4-updater.exe campaign surfaced on MalwareBazaar... The implant is a custom-virtualized PE64 backdoor whose runtime artifacts (mutex Global\DHGGlobalMutex, registry keys HKCU\offlinekey\open / HKCU\offlinekey\clipboard) match documented APT-Q-27 / GoldenEyeDog / Dragon Breath tooling.1Apr 21, 2026

Zhong StealerThe stolen certificates were used to digitally sign payloads delivering Zhong Stealer, a malware family previously associated with cybercrime groups involved in cryptocurrency theft.1May 4, 2026

IOCS

Observables

35 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

35 IOCsView more in app

ip.v4

19 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+11

Domains

6 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru

hash.md5

6 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

hash.sha1

2 total

•••••••••••••••••

hash.sha256

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyber security newsNews

May 4, 2026

DigiCert Hacked via Weaponized Screensaver File to Obtain EV Code Signing Certificates

Linked to campaigns distributing Zhong Stealer, including use of stolen EV code-signing certificates to sign payloads and support malware delivery aimed at evading endpoint detection; attribution for the DigiCert breach itself is explicitly unconfirmed.

darkwebinformerNews

May 4, 2026

When a Screensaver Cracked the Internet's Trust Layer: Inside the DigiCert Hack

A Chinese e-crime group linked to abuse of DigiCert-issued code signing certificates, with certificates already observed being used to sign the Zhong Stealer malware family.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping23

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables35

Domains, IPs, and hashes tied to this actor, refreshed continuously.