APT-Q-27 Goes Signed: GoldenEyeDog's Sims 4 Updater Lure Now Carries a Brand-New Korean DigiCert EV Certificate

PublishedApril 7, 2026

apt-q-27goldeneyedogdragon-breathchina-nexuscode-signing-abusedead-drop-resolversims-4gaming-malware

TL;DR

On April 7, 2026, a new sample of the long-running malicious sims-4-updater.exe campaign surfaced on MalwareBazaar (reported by @JAMESWT_WT). Where prior versions (v1.1.1, v1.3.3, v1.3.4) circulated unsigned across ANY.RUN, JoeSandbox and Hybrid-Analysis going back years, the new sims-4-updater-v1.4.7.exe is signed with a fresh DigiCert EV code-signing certificate issued to MobSoft Co., Ltd (Seoul, South Korea, business registration 110111-8502117) — a certificate that was minted on April 2, 2026, just five days before the malware appeared in the wild.

The implant is a custom-virtualized PE64 backdoor whose runtime artifacts (mutex Global\DHGGlobalMutex, registry keys HKCU\offlinekey\open / HKCU\offlinekey\clipboard) match documented APT-Q-27 / GoldenEyeDog / Dragon Breath tooling — a Chinese-nexus crew historically tracked by Sophos, Qi'anxin, and CyStack. The C2 server lightindividual.com (74.117.183.165, Webzilla bulletproof, Dallas TX) is live, with a sister node at 74.117.183.164 and a distribution mirror at anadius.su (91.149.227.100, SOROK76 LTD, Norway). Configuration is fetched from rentry.co, rentry.org and gist.githubusercontent.com in a dead-drop resolver pattern not previously documented for this actor.

What this report adds to the public record:

Ties the multi-year sims-4-updater distribution channel to APT-Q-27 via mutex, registry, and PDB correlation
Documents the MobSoft Co., Ltd EV certificate as being used to sign APT-Q-27 malware in the wild
Maps the lightindividual.com C2 infrastructure and its sister node
Calls out APT-Q-27's use of a rentry.co / gist dead-drop resolver pattern as a detection pivot

DigiCert revocation request is in progress. If you've published prior reporting on any of the above and we missed it, please reach out — we'll update and credit.

Prior Art

APT-Q-27 (also known as GoldenEyeDog by Qi'anxin and Dragon Breath by Sophos) has been publicly tracked since at least 2020. Documented coverage:

Date	Source	Finding
2023-05	Sophos / Cyware	"Double DLL sideloading" technique against gambling operators in SEA
2023-05	BleepingComputer	Trojanized Telegram, ToDesk, VPN apps as carriers
2023-05	HivePro Threat Advisory	Targeting Chinese-speaking gambling players in Philippines, Vietnam, Malaysia, Thailand
2023 (and ongoing)	Cyber Security Review	"Silver Fox" trojan stealing activities
2026-02-06	CyberPress / CyStack	Mid-January 2026 corporate intrusion in Vietnam — first 2026 sighting

Separately, the sims-4-updater.exe family has bounced around sandboxes for years:

sims-4-updater-v1.1.1.exe — Trojan.Gen, unsigned
sims-4-updater-v1.3.3.exe — ANY.RUN flagged malicious, unsigned
sims-4-updater-v1.3.4.exe — JoeSandbox, evasion + non-standard sections, unsigned
F-Secure: "Malicious mods: the Sims 4 infostealer threatens gamers' security" — generic warning, no actor attribution

anadius.su is a long-running distributor of pirated Sims 4 DLC content known to the Sims modding community. Whether the operator has compromised anadius.su, is impersonating it on a lookalike, or is supply-chaining a known cracker channel is the most consequential open question of this campaign — and one that warrants direct outreach to anadius.

What this report adds is to (a) tie the long-running sims-4-updater campaign to APT-Q-27 via runtime artifact correlation, (b) document the operator's pivot from unsigned droppers to abuse of a 5-day-old DigiCert EV code-signing certificate, and (c) map the currently-live C2 infrastructure.

The Sample

Property	Value
Filename	`sims-4-updater-v1.4.7.exe`
SHA256	`85113d10061110c755626eec419703a57e82afebaf95064c83cf5d4c5c55193a`
SHA1	`fab36ed43bc619c6e7afd03e7a51b2d956afb9e4`
MD5	`2a9cfae1039fcc214433222a5cc7d4c7`
Parent ZIP SHA256	`d261d8e19a2165642060a815b8b482b1b56190109cae0c693ef5be82e4df733e`
File Type	PE32+ executable (GUI) x86-64, MSVC
Size	688,416 bytes
PDB Path	`C:\Users\Administrator\Desktop\photo\java2.0\x64\Release\java2.0.pdb`
First Seen	2026-04-07 12:47:58 UTC
Reporter	@JAMESWT_WT
ANY.RUN tags	`apt-q-27`, `backdoor`, `websocket`, `antivm`, `upx`, `auto-reg`

The PE has a tiny import table (WinHttpSendRequest, SHGetFolderPathA, RegCloseKey, RtlUnwind) and a .text section with entropy 7.66 — the first ~384KB is encrypted payload, the trailing ~288KB is a custom virtualizer/decryptor. All real API resolution happens dynamically post-unpack via GetProcAddress. This is not UPX or any commercial packer; the entry point uses heavy stack manipulation, self-modifying address calculations, and call-to-self position-independent address resolution consistent with APT-Q-27's documented in-house obfuscator.

The PDB path leak — C:\Users\Administrator\Desktop\photo\java2.0\x64\Release\java2.0.pdb — is consistent with prior GoldenEyeDog builds that have leaked similar Desktop\photo\ and java2.0 paths.

The Certificate (The Real Story)

Subject:    jurisdictionC=KR, jurisdictionST=Seoul,
            businessCategory=Private Organization,
            serialNumber=110111-8502117,
            C=KR, ST=Seoul, L=Guro District,
            O=MobSoft Co., Ltd, CN=MobSoft Co., Ltd
Issuer:     C=US, O=DigiCert, Inc.,
            CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Valid:      2026-04-02 → 2027-04-02
Serial:     02ed93fdb6cfb33a477e218531f32922
Auth SHA1:  8BD98B8576EFFF8D336AB93C7F786325971ABC6C

Five days between certificate issuance (Apr 2) and first sample sighting in the wild (Apr 7). This is an EV ("Extended Validation") code-signing certificate — the kind that grants instant SmartScreen reputation and bypasses many endpoint security defaults. APT-Q-27 has a documented history of operating a supply chain of stolen and fraudulently obtained code-signing certificates:

Portier Global Pty Ltd (later revoked, prior campaigns)
Kunming Wuqi E-commerce Co., Ltd (kernel driver signing)
And now: MobSoft Co., Ltd (KR, Guro-gu, Seoul)

The Korean business registration number 110111-8502117 is real. We have not yet established whether MobSoft is a victim of certificate theft, was social-engineered through DigiCert's EV vetting, or is a paper company set up specifically to obtain a signing identity. DigiCert has been notified and revocation is pending.

Live C2 Infrastructure

IOC	Value	Hosting	Role
Primary C2	`lightindividual.com`	NameCheap reg, ultradns NS	First-stage HTTPS C2
C2 IP	`74.117.183.165`	Webzilla Inc. AS40824, Dallas TX (bulletproof)	nginx, self-signed `WRONG.hostname` cert + LE cert for `lightindividual.com`
Sister C2	`74.117.183.164`	Same /24, identical fingerprint	Likely failover / staging
Distribution	`anadius.su`	—	Long-running Sims pirate channel — compromise OR impersonation TBD
Distribution IP	`91.149.227.100`	AS200508 SOROK76 LTD, Norway, hostname `i5-2400.as200508.net`	Ubuntu, OpenSSH 8.9p1, ports 22/80/443/8083
Dead-drop	`rentry.co` (CF: `104.26.2.16`, `104.26.3.16`, `172.67.75.40`)	Cloudflare anonymous-paste	Config / next-stage URL retrieval
Dead-drop	`rentry.org` (`164.132.58.105`)	—	Mirror dead-drop
Dead-drop	`gist.githubusercontent.com` (`185.199.110.133`)	GitHub	Mirror dead-drop

Domain registration

Registrar: NameCheap, Inc.
Created: 2025-04-15 (~12 months of aging — operational discipline)
Expires: 2026-04-15 (renewal window in 8 days — worth watching)
NS: pdns73.ultradns.{biz,com,net,org,info,co.uk}
TLS: Let's Encrypt E7 — first cert 2025-10-15, latest 2026-03-29

Cross-reference: prior APT-Q-27 C2 infrastructure

Per CyStack's Jan 2026 corporate intrusion report, historically attributed APT-Q-27 nodes:

143.92.57.46:15628 — CTG Server Ltd, HK
45.145.73.105 — Spartan Host Ltd, US
wk.goldeyeuu[.]io — historical, resolved to 56.155.111.29

The hosting pivot HK → US bulletproof → Dallas Webzilla is consistent with the actor's documented tendency to rotate through low-attribution Western providers between active operations.

Host-Based Indicators

Registry persistence

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\offlinekey\open — keylogger enable/disable (APT-Q-27 signature)
HKCU\offlinekey\clipboard — clipboard hijacker config (APT-Q-27 signature)

Mutex

Global\DHGGlobalMutex — APT-Q-27 / GoldenEyeDog signature

Dropped files (PyInstaller staging — second stage is Python)

%TEMP%\_MEI<PID>\python310.dll
%TEMP%\_MEI<PID>\VCRUNTIME140.dll
%TEMP%\_MEI<PID>\_cffi_backend.cp310-win_amd64.pyd
%AppData%\Microsoft\Internet Explorer\UserData\ (data staging)

Suricata signatures triggered

ET INFO Pastebin Service Domain in DNS Lookup (rentry.co)
ET INFO Observed Pastebin Service Domain (rentry.co in TLS SNI)

Why It Matters

EV signing bypasses SmartScreen. Even tier-1 EDRs are biased against unsigned binaries; an EV-signed PE walks through Windows defaults that would trip on the same code unsigned.
Gaming lures are an under-defended initial-access vector. The Sims is one of the world's best-selling franchises with a thriving mod-and-crack scene. APT-Q-27 historically targeted gambling — pivoting into casual gaming is a logical TAM expansion of a cred-stealing operation.
The dead-drop pattern (rentry, gist) defeats domain-based blocking. Defenders need to look at DNS for pastebin services in TLS SNI from non-developer endpoints, not at IPs.
anadius.su may be compromised at the supply-chain level. If the long-running pirate channel is being weaponized, every Sims player who has ever sideloaded a free DLC update is a potential victim. We are reaching out to anadius operators directly.
Five days from cert issuance to weaponization is the new normal for APT-Q-27. DigiCert's EV vetting did not slow this down. The lesson for defenders is to not extend reputation to certs based on signer alone — check age, then check actor.

IOCs

# Files
85113d10061110c755626eec419703a57e82afebaf95064c83cf5d4c5c55193a  sims-4-updater-v1.4.7.exe
fab36ed43bc619c6e7afd03e7a51b2d956afb9e4                            (SHA1)
2a9cfae1039fcc214433222a5cc7d4c7                                    (MD5)
d261d8e19a2165642060a815b8b482b1b56190109cae0c693ef5be82e4df733e  parent ZIP

# Domains
lightindividual.com
anadius.su
rentry.co        (dead-drop, abuse)
rentry.org       (dead-drop, abuse)
gist.githubusercontent.com  (dead-drop, abuse)

# IPv4
74.117.183.165   # Primary C2 — Webzilla AS40824, Dallas TX
74.117.183.164   # Sister C2, same /24
91.149.227.100   # Distribution — SOROK76 LTD AS200508, Norway

# Code-signing certificate (REVOCATION REQUESTED)
Subject:  CN=MobSoft Co., Ltd, O=MobSoft Co., Ltd, L=Guro District, ST=Seoul, C=KR
BizReg:   110111-8502117
Issuer:   DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Serial:   02ed93fdb6cfb33a477e218531f32922
Valid:    2026-04-02 → 2027-04-02
Auth SHA1: 8BD98B8576EFFF8D336AB93C7F786325971ABC6C

# Host
Mutex:     Global\DHGGlobalMutex
Reg key:   HKCU\offlinekey\open
Reg key:   HKCU\offlinekey\clipboard
PDB path:  C:\Users\Administrator\Desktop\photo\java2.0\x64\Release\java2.0.pdb

Disclosure Timeline

Date	Action
2026-04-07	Sample first seen on MalwareBazaar (reporter: JAMESWT_WT)
2026-04-07	GHOST automated investigation completes; APT-Q-27 attribution confirmed
2026-04-07	DigiCert revocation request submitted for MobSoft Co., Ltd cert
2026-04-07	Webzilla abuse contact notified re: `74.117.183.164/165`
2026-04-07	rentry.co operators notified; abuse takedown requested for resolver pages
2026-04-07	Public disclosure (this post)
TBD	Direct contact with anadius.su operators re: distribution channel

Credits

Sample reporter: @JAMESWT_WT (MalwareHunterTeam)
Prior art: Sophos (Dragon Breath, 2023), Qi'anxin (APT-Q-27 tracking), CyStack (2026-01 corporate intrusion), F-Secure (Sims 4 infostealer warning)
Investigation: GHOST automated operator → Breakglass Intelligence

GHOST — Breakglass Intelligence. One indicator. Total infrastructure.