DigiCert’s Internal Support Breach
In a significant security incident that unfolded in early April 2026, DigiCert’s internal support environment was infiltrated by a cunning threat actor. This breach was achieved through the deployment of a malicious screensaver file, cleverly disguised to deceive support analysts. The ultimate goal of the attacker was to acquire EV Code Signing certificates, which were later used to propagate the ‘Zhong Stealer’ malware.
Details of the April 2026 Breach
On April 2, 2026, a cybercriminal engaged with DigiCert’s customer support via a Salesforce-based chat, persistently sending a ZIP file masked as a screenshot. This archive contained a .scr executable, exploiting Windows’ native handling of such files. Despite multiple blocking attempts by CrowdStrike’s defenses, a fifth attempt successfully compromised an endpoint operated by a support analyst, marking the beginning of the breach.
The compromised machine was promptly isolated on April 3, 2026, but an investigation revealed a critical oversight. A second machine was compromised on April 4, 2026, due to a faulty CrowdStrike sensor, leaving this breach undetected until April 14, 2026. During this period, the attacker had unfettered access to DigiCert’s systems.
Exploitation of DigiCert Systems
With access to compromised analyst accounts, the intruder maneuvered through DigiCert’s internal customer support portal. They exploited a feature that allowed support staff to view customer accounts, gaining access to initialization codes for pending EV Code Signing certificate orders. While this feature does not permit direct account management or order submissions, it was sufficient for the attacker to activate valid certificates.
Between April 14 and April 17, 2026, DigiCert revoked 60 EV Code Signing certificates, issued through four Certificate Authorities. Among these, 27 were directly linked to the attacker, with others revoked as a safeguard due to uncertain customer control.
Implications and Response
The stolen certificates facilitated the dissemination of the ‘Zhong Stealer,’ a malware associated with cybercriminal groups focused on cryptocurrency theft. Although linked to the Chinese group GoldenEyeDog (APT-Q-27), it remains unclear if they orchestrated the DigiCert breach itself. The malware’s attack strategy included phishing tactics and decoy payloads, utilizing digitally signed binaries to bypass security measures.
In response, DigiCert revoked all compromised certificates within 24 hours of discovery and implemented several security enhancements. These included blocking access to Code Signing initialization codes, disabling Okta FastPass for support access, and enhancing MFA requirements.
Future Outlook and Recommendations
Organizations that depend on code-signing validation must ensure that the revoked DigiCert certificates are no longer trusted within their systems. This includes verifying that these certificates are removed from internal allowlists and pinned configurations. DigiCert’s rapid response underscores the critical importance of robust security protocols and continual monitoring to mitigate such threats.
