Cyber Incident Victim: DigiCert

On April 2 2026 a threat actor delivered a malicious payload to DigiCert’s support team through a customer chat channel, disguising the file as a screenshot. The payload infected two endpoints; the first compromise was identified on April 3 and the second on April 14, with the delayed detection attributed to a malfunctioning security solution on the second endpoint. From the infected systems the attacker pivoted to DigiCert’s internal support portal, exploiting a feature that allows authenticated support analysts to proxy into customer accounts and view initialization codes for pending EV code‑signing certificate orders. Possession of an initialization code combined with an approved order is sufficient to obtain the resulting certificate, and the actor used this method to acquire EV code‑signing certificates for a finite set of approved orders across multiple customer accounts and certificate authorities. By April 17 DigiCert had identified and revoked 60 certificates linked to the incident, 27 of which were explicitly tied to the threat actor, while 11 of those revoked certificates had been reported by the community as being used to sign the Zhong Stealer malware family. The company stated that its investigation found no evidence of misuse of other internal systems beyond the access to initialization codes within specific support accounts.

In response DigiCert revoked all certificates potentially associated with the activity by April 17 and cancelled pending orders to close the attacker’s access. The firm subsequently strengthened its security posture by enforcing multi‑factor authentication for administrative workflows, blocking access to initialization codes for proxied support users, restricting file types permissible in support chat and Salesforce case attachments, and enhancing logging capabilities. Researchers including Squiblydoo, MalwareHunterTeam, and g0njxa had previously observed newly issued DigiCert EV certificates being used to sign malware and reported them to DigiCert, noting that certificates issued to Lenovo, Kingston, Shuttle Inc, and Palit Microsystems were involved in the Zhong Stealer campaign attributed to the Chinese crime group #GoldenEyeDog (#APT‑Q‑27). The malware associated with the campaign was described as a remote access trojan distributed via phishing emails bearing fake images, a first‑stage decoy executable, retrieval of a second‑stage payload from cloud storage such as AWS, and the use of signed binaries and loaders tied to legitimate vendors. Shortly after the DigiCert incident Microsoft Defender began flagging legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in false‑positive alerts and removal of those certificates from Windows trust stores on affected systems. Microsoft later addressed the detections in Security Intelligence update version 1.449.430.0, with the most recent update being 1.449.431.0, and the corrected updates were deployed automatically. The certificates flagged by Microsoft Defender are root certificates in the Windows trust store and do not correspond to the revoked DigiCert code‑signing certificates used to sign malware.