DigiCert has disclosed a security incident in which attackers compromised internal support systems and abused stolen certificate issuance data to obtain valid EV code signing certificates.
Some of the certificates were subsequently used to sign malware tied to the Zhong Stealer family.
DigiCert, a major certificate authority trusted by browsers and operating systems worldwide, plays a central role in securing internet communications and software distribution. Its code-signing certificates are widely used by software developers to verify the authenticity and integrity of applications, making any compromise particularly sensitive to the broader ecosystem.
According to a detailed incident report published by DigiCert, the intrusion began on April 2, 2026, when a threat actor impersonated a customer and contacted the company’s support team through a chat channel. The attacker repeatedly sent a malicious ZIP archive disguised as a screenshot. The archive contained a .scr file (Windows screensaver) that executed a payload when opened. Despite multiple blocked attempts by security tools, one support employee eventually executed it on a workstation.
DigiCert’s Trust Operations team detected and contained the initial compromise within hours on April 3, terminating malicious processes. However, a second system was silently compromised the following day via the same delivery vector. Due to a misconfigured CrowdStrike endpoint detection and response (EDR) agent that was not reporting to the central management console, the intrusion on this machine went unnoticed for nearly two weeks.
The prolonged access proved critical. Investigators determined that the attacker leveraged the compromised support account to access DigiCert’s internal customer support portal. This portal includes a feature that allows analysts to view customer accounts in a proxy mode to assist with troubleshooting. While restricted, the feature still exposed “initialization codes” associated with pending EV code-signing certificate orders, data that effectively serves as a one-time credential in the certificate issuance workflow.
DigiCert explained that possession of an initialization code, combined with an already-approved certificate request, is sufficient to generate and retrieve a valid EV code-signing certificate. By harvesting these codes from multiple customer accounts, the attacker fraudulently obtained certificates from several certificate authorities.
In total, DigiCert revoked 60 certificates issued during the exposure window, 27 of which were directly linked to the attacker’s activity. Security researchers and community members flagged 11 of these certificates after observing them being used in malicious campaigns, while DigiCert identified an additional 16 through internal investigation. The remaining 33 certificates were revoked as a precaution.
The abused certificates were used to sign payloads associated with the Zhong Stealer malware, a credential- and cryptocurrency-stealing threat previously linked to cybercrime operations, including activity attributed to the GoldenEyeDog (APT-Q-27) group.
The company emphasized that the attacker’s access was limited to code-signing initialization data and that no evidence was found of broader system compromise, misuse of validation processes, or the issuance of other certificate types. All identified malicious or potentially exposed certificates were revoked within 24 hours of discovery.
DigiCert has since implemented multiple security improvements, including stricter file upload controls, enhanced endpoint monitoring, mandatory phishing-resistant multi-factor authentication, and masking of initialization codes in all support workflows. The company is also working on longer-term changes, such as just-in-time privileged access controls and anomaly detection in certificate issuance systems.
Leave a Reply