DigiCert Hacked: Attackers Steal EV Code Signing Certificates via Weaponized Screensaver
Key Takeaways DigiCert’s internal support environment was breached in April 2026 through social engineering. Attackers stole 27 EV Code Signing certificates, with 33 more revoked proactively,...
Key Takeaways
- DigiCert’s internal support environment was breached in April 2026 through social engineering.
- Attackers stole 27 EV Code Signing certificates, with 33 more revoked proactively, by exploiting a support portal feature.
- The stolen certificates were used to sign and distribute the “Zhong Stealer” malware.
- A malfunctioning endpoint sensor on a second compromised machine allowed attackers undetected access for ten days.
- DigiCert has implemented multiple mitigations, including code changes, stricter MFA, and account suspensions.
In early April 2026, DigiCert, a prominent certificate authority, experienced a security breach within its internal support systems that led to the theft of multiple Extended Validation (EV) Code Signing certificates. Threat actors leveraged a sophisticated social engineering tactic, tricking support personnel into executing a malicious screensaver file, which ultimately paved the way for the unauthorized acquisition of these high-value digital credentials.
Table Of Content
The incident began on April 2, 2026, when an attacker engaged DigiCert’s customer support via a Salesforce-powered chat. During this interaction, the threat actor repeatedly attempted to deliver a malicious ZIP archive, deceptively presented as a customer screenshot.
The ZIP file contained a .scr (screensaver) executable. This technique exploits how Windows operating systems treat .scr files as native executables, a common social engineering vector.
Initial defenses proved effective; CrowdStrike and other endpoint security solutions successfully blocked four consecutive delivery attempts. However, a fifth attempt bypassed these protections, leading to the compromise of ENDPOINT1, a machine used by a support analyst. DigiCert’s Trust Operations team swiftly identified and isolated ENDPOINT1 by April 3, 2026.
Despite this rapid response, a critical oversight emerged. On April 4, 2026, a second machine, ENDPOINT2, was also compromised using the identical attack vector. A faulty CrowdStrike sensor on ENDPOINT2 prevented its detection during the initial April 3 investigation, creating a significant blind spot.
DigiCert did not become aware of the ENDPOINT2 breach until April 14, 2026. This ten-day period granted the attackers unfettered access to the compromised system.
Leveraging the compromised analyst accounts, the threat actor gained entry to DigiCert’s internal customer support portal. From there, they exploited a specific feature designed to allow authenticated support staff to view customer accounts from the customer’s perspective. While this functionality is restricted and does not permit account management, API key access, or order submissions, it exposed initialization codes for approved but undelivered EV Code Signing certificate orders across a limited set of customer accounts.
Crucially, possessing an initialization code for an already-approved order is sufficient to obtain and activate a valid certificate. This vulnerability provided the attackers with a direct path to acquiring legitimate, CA-signed credentials.
Zhong Stealer Malware via Stolen Certificates
Between April 14 and April 17, 2026, DigiCert moved to revoke 60 EV Code Signing certificates. These certificates had been issued by four distinct Certificate Authorities: DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1, DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1, and Verokey High Assurance Secure Code EV. Of the revoked certificates, 27 were directly linked to the threat actor—11 identified through community problem reports and 16 during DigiCert’s internal investigation.
The remaining 33 certificates were revoked as a precautionary measure due to unconfirmed customer control.
The stolen certificates were subsequently used to digitally sign payloads associated with the Zhong Stealer malware family. Zhong Stealer is known for its role in cryptocurrency theft and has been previously linked to cybercrime groups.
Security researchers have attributed the Zhong Stealer campaign to GoldenEyeDog (APT-Q-27), a Chinese e-crime group. However, it remains unconfirmed whether this group was directly responsible for the initial DigiCert breach.
The malware’s distribution chain typically involves phishing emails with fake screenshots, initial decoy payloads, and the retrieval of additional malicious components from cloud services like AWS. Digitally signed binaries are specifically employed to evade endpoint detection systems.
All 60 compromised certificates were revoked within 24 hours of discovery. DigiCert implemented immediate countermeasures, including code changes to block proxied support users from viewing Code Signing initialization codes at both UI and API layers, disabling Okta FastPass for support portal access, reinforcing MFA requirements, and suspending accounts of affected analysts.
Pending Code Signing orders were also canceled to eliminate any potential residual access for the threat actor. DigiCert identified seven IP addresses utilized by the attacker during certificate installation: 82.23.186[.]8, 154.12.185[.]32, 45.144.227[.]12, 203.160.68[.]2, 154.12.185[.]30, 62.197.153[.]45, and 45.144.227[.]29.
Key IOCs and Indicators
| Indicator | Details |
|---|---|
| Malware family | Zhong Stealer (RAT/Stealer hybrid) |
| Attributed threat actor | GoldenEyeDog / APT-Q-27 (unconfirmed for breach) |
| Malicious file types | .scr executable inside ZIP archive |
| Attacker IPs | 82.23.186[.]8, 154.12.185[.]32, 45.144.227[.]12, 203.160.68[.]2, 154.12.185[.]30, 62.197.153[.]45, 45.144.227[.]29 |
| Total certificates revoked | 60 EV Code Signing |
| Certificates directly attributed to attacker | 27 |
| Non-compliance window | April 4 – April 17, 2026 |
What You Should Do
- Immediately verify that all 60 revoked DigiCert certificates have been propagated across your organization’s Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) infrastructure.
- Ensure that none of the revoked certificates are present in any internal allowlists or pinned certificate configurations.
- Educate employees, particularly support staff, on advanced social engineering tactics, including malicious file extensions and suspicious attachments in chat or email communications.
- Review and strengthen endpoint detection and response (EDR) sensor health monitoring to prevent detection gaps.
- Implement strict access controls and multi-factor authentication (MFA) for all internal systems, especially those handling sensitive customer data or certificate management.
- Regularly audit logs for unusual access patterns or activity within support portals and certificate management systems.
- Consider implementing stricter email and chat attachment policies to block potentially malicious file types like
.scr,.zipcontaining executables, or other suspicious formats.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.