4 Min Read 
DigiCert confirmed that attackers breached its internal support portal on April 2 using a malicious screensaver file, fraudulently obtaining 27 code signing certificates that were used to sign the Zhong Stealer malware family. The incident triggered a cascade of disruption that extended far beyond the initial breach. Microsoft Defender’s overcautious response to the compromise mistakenly flagged legitimate DigiCert certificates as malware for three days in early May, automatically removing trusted certificates from Windows systems worldwide.
According to SecurityWeek, the attack began when a threat actor contacted DigiCert’s support team via customer chat and repeatedly sent a malicious ZIP file disguised as a screenshot. The file contained a .scr executable, a screensaver format that Windows treats as a native executable. CrowdStrike and other defences blocked four consecutive attempts, but the fifth succeeded.
One Phone Call Was Not Enough This Time
The DigiCert attack differs from the pattern we have seen from other sophisticated groups recently. Where Scattered Spider relies on helpdesk impersonation calls to reset passwords, the DigiCert attackers went straight to malware delivery. According to Help Net Security, the malicious payload infected two DigiCert endpoints with the second remaining undetected for nearly two weeks because CrowdStrike EDR was misconfigured and disconnected from central management.
The compromised systems gave attackers access to DigiCert’s internal support portal where they could view initialization codes for pending Extended Validation code signing certificates. DigiCert acknowledged that “possession of the initialisation code combined with an approved order, is functionally sufficient to generate and retrieve the corresponding certificate.” That combination handed attackers everything needed to issue valid certificates that would pass trust checks on any Windows system globally.
The Certificates Were Signing Chinese Malware
DigiCert revoked 60 certificates by April 17 with 27 explicitly linked to the attackers. According to Cybersecurity News, 11 were identified through community reports linking them to malware while 16 were discovered during DigiCert’s investigation. The stolen certificates were used to sign payloads delivering Zhong Stealer, a credential and cryptocurrency-stealing tool that security researchers have linked to GoldenEyeDog (APT-Q-27), a Chinese cybercrime group.
The attribution to Chinese actors rests on more than just the malware family. The malware’s attack chain includes first-stage decoy payloads and retrieval of additional components from cloud services with the digitally signed binaries specifically designed to evade endpoint detection. Seven IP addresses used during certificate installation were also identified, though these connections alone do not constitute proof of state direction.
Microsoft Made the Fallout Worse
Microsoft’s response to the DigiCert breach created a separate crisis. On April 30, Microsoft Defender added detections for Trojan:Win32/Cerdigent.A!dha, targeting certificates potentially linked to the compromise. According to BleepingComputer, the detection logic proved overly broad and began flagging legitimate DigiCert root certificates as high-severity malware.
The false positives began appearing May 3 and continued until Microsoft released security intelligence update version 1.449.431.0 on May 3. During those three days, Defender automatically quarantined certificate entries from the Windows trust store, disrupting HTTPS connections, code signature validation and API calls that depended on DigiCert certificates. Microsoft confirmed the connection between the false positives and the DigiCert incident, stating they “immediately added detections for malware” to protect customers but admitted the logic was overly broad.
The dual disruption, compromised certificates being used to sign malware, then legitimate certificates being removed by security software, demonstrates how certificate authority breaches can create cascading failures across the entire trust infrastructure.
What This Means for Code Signing Trust
Extended Validation code signing certificates are the highest trust tier available to software developers. When Windows encounters a binary signed with an EV certificate, it displays the developer’s verified identity and grants elevated trust. The DigiCert compromise allowed attackers to sign malware with that same level of trust, effectively bypassing certificate-based security controls across millions of Windows systems.
This is not theoretical damage. Any organisation that installed software signed by DigiCert-issued certificates between April 2 and April 17 should treat those binaries as suspect until verified against DigiCert’s revocation list. The most urgent priority is retrospective threat hunting for Zhong Stealer activity across endpoints that may have executed malware that appeared fully trusted at the time.
References
- DigiCert breached via malicious screensaver file
- DigiCert Revokes Certificates After Support Portal Hack
- Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha
- DigiCert Hacked via Weaponized Screensaver File
- DigiCert hacked with a malicious screensaver file
- DigiCert Official Incident Report
This post is also available in:
Svenska
Related News
CISA Fast-Tracks Nine-Year-Old Linux Root Bug to Known Exploited List
CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalogue on Friday, confirming that a nine-year-old Linux kernel flaw is being exploited in live attacks. The…
May 4, 2026 ShinyHunters Claims Udemy, Zara and 7-Eleven in Latest Extortion Wave
ShinyHunters claimed to have stolen 1.4 million records from online learning platform Udemy and has threatened to release the data alongside stolen information from Zara…
April 28, 2026 