Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Linux Kernel FUSE Vulnerability (CVE-2023-XXXX) Lets Attackers Gain Root Privileges
July 10, 2026
Critical GNU Guix Vulnerabilities Let Attackers Elevate Privileges
July 10, 2026
Critical Windows Shortcut Vulnerability Allows Remote Code Execution
July 10, 2026
Home/CyberSecurity News/DigiCert Hacked: Attackers Steal EV Code Signing Certificates via Weaponized Screensaver
CyberSecurity News

DigiCert Hacked: Attackers Steal EV Code Signing Certificates via Weaponized Screensaver

Key Takeaways DigiCert’s internal support environment was breached in April 2026 through social engineering. Attackers stole 27 EV Code Signing certificates, with 33 more revoked proactively,...

David kimber
David kimber
May 4, 2026 4 Min Read
65 0

Key Takeaways

  • DigiCert’s internal support environment was breached in April 2026 through social engineering.
  • Attackers stole 27 EV Code Signing certificates, with 33 more revoked proactively, by exploiting a support portal feature.
  • The stolen certificates were used to sign and distribute the “Zhong Stealer” malware.
  • A malfunctioning endpoint sensor on a second compromised machine allowed attackers undetected access for ten days.
  • DigiCert has implemented multiple mitigations, including code changes, stricter MFA, and account suspensions.

In early April 2026, DigiCert, a prominent certificate authority, experienced a security breach within its internal support systems that led to the theft of multiple Extended Validation (EV) Code Signing certificates. Threat actors leveraged a sophisticated social engineering tactic, tricking support personnel into executing a malicious screensaver file, which ultimately paved the way for the unauthorized acquisition of these high-value digital credentials.

Table Of Content

  • Key Takeaways
  • Zhong Stealer Malware via Stolen Certificates
  • Key IOCs and Indicators
  • What You Should Do

The incident began on April 2, 2026, when an attacker engaged DigiCert’s customer support via a Salesforce-powered chat. During this interaction, the threat actor repeatedly attempted to deliver a malicious ZIP archive, deceptively presented as a customer screenshot.

The ZIP file contained a .scr (screensaver) executable. This technique exploits how Windows operating systems treat .scr files as native executables, a common social engineering vector.

Initial defenses proved effective; CrowdStrike and other endpoint security solutions successfully blocked four consecutive delivery attempts. However, a fifth attempt bypassed these protections, leading to the compromise of ENDPOINT1, a machine used by a support analyst. DigiCert’s Trust Operations team swiftly identified and isolated ENDPOINT1 by April 3, 2026.

Despite this rapid response, a critical oversight emerged. On April 4, 2026, a second machine, ENDPOINT2, was also compromised using the identical attack vector. A faulty CrowdStrike sensor on ENDPOINT2 prevented its detection during the initial April 3 investigation, creating a significant blind spot.

DigiCert did not become aware of the ENDPOINT2 breach until April 14, 2026. This ten-day period granted the attackers unfettered access to the compromised system.

Leveraging the compromised analyst accounts, the threat actor gained entry to DigiCert’s internal customer support portal. From there, they exploited a specific feature designed to allow authenticated support staff to view customer accounts from the customer’s perspective. While this functionality is restricted and does not permit account management, API key access, or order submissions, it exposed initialization codes for approved but undelivered EV Code Signing certificate orders across a limited set of customer accounts.

Crucially, possessing an initialization code for an already-approved order is sufficient to obtain and activate a valid certificate. This vulnerability provided the attackers with a direct path to acquiring legitimate, CA-signed credentials.

Zhong Stealer Malware via Stolen Certificates

Between April 14 and April 17, 2026, DigiCert moved to revoke 60 EV Code Signing certificates. These certificates had been issued by four distinct Certificate Authorities: DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1, DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1, and Verokey High Assurance Secure Code EV. Of the revoked certificates, 27 were directly linked to the threat actor—11 identified through community problem reports and 16 during DigiCert’s internal investigation.

The remaining 33 certificates were revoked as a precautionary measure due to unconfirmed customer control.

The stolen certificates were subsequently used to digitally sign payloads associated with the Zhong Stealer malware family. Zhong Stealer is known for its role in cryptocurrency theft and has been previously linked to cybercrime groups.

Security researchers have attributed the Zhong Stealer campaign to GoldenEyeDog (APT-Q-27), a Chinese e-crime group. However, it remains unconfirmed whether this group was directly responsible for the initial DigiCert breach.

The malware’s distribution chain typically involves phishing emails with fake screenshots, initial decoy payloads, and the retrieval of additional malicious components from cloud services like AWS. Digitally signed binaries are specifically employed to evade endpoint detection systems.

All 60 compromised certificates were revoked within 24 hours of discovery. DigiCert implemented immediate countermeasures, including code changes to block proxied support users from viewing Code Signing initialization codes at both UI and API layers, disabling Okta FastPass for support portal access, reinforcing MFA requirements, and suspending accounts of affected analysts.

Pending Code Signing orders were also canceled to eliminate any potential residual access for the threat actor. DigiCert identified seven IP addresses utilized by the attacker during certificate installation: 82.23.186[.]8, 154.12.185[.]32, 45.144.227[.]12, 203.160.68[.]2, 154.12.185[.]30, 62.197.153[.]45, and 45.144.227[.]29.

Key IOCs and Indicators

Indicator Details
Malware family Zhong Stealer (RAT/Stealer hybrid)
Attributed threat actor GoldenEyeDog / APT-Q-27 (unconfirmed for breach)
Malicious file types .scr executable inside ZIP archive
Attacker IPs 82.23.186[.]8, 154.12.185[.]32, 45.144.227[.]12, 203.160.68[.]2, 154.12.185[.]30, 62.197.153[.]45, 45.144.227[.]29
Total certificates revoked 60 EV Code Signing
Certificates directly attributed to attacker 27
Non-compliance window April 4 – April 17, 2026

What You Should Do

  • Immediately verify that all 60 revoked DigiCert certificates have been propagated across your organization’s Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) infrastructure.
  • Ensure that none of the revoked certificates are present in any internal allowlists or pinned certificate configurations.
  • Educate employees, particularly support staff, on advanced social engineering tactics, including malicious file extensions and suspicious attachments in chat or email communications.
  • Review and strengthen endpoint detection and response (EDR) sensor health monitoring to prevent detection gaps.
  • Implement strict access controls and multi-factor authentication (MFA) for all internal systems, especially those handling sensitive customer data or certificate management.
  • Regularly audit logs for unusual access patterns or activity within support portals and certificate management systems.
  • Consider implementing stricter email and chat attachment policies to block potentially malicious file types like .scr, .zip containing executables, or other suspicious formats.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitMalwarephishingSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

BlueKit Phishing Automates Domain, 2FA Lures, and Session Hijacking

Next Post

Critical Apache HTTP Server Bug CVE-2021-41773 Lets Attackers Remotely Execute Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
New Windows Process Injection Technique Evades 4 EDR Solutions
July 10, 2026
Xalgorix AI Tool Vulnerability Exposes Sensitive Data
July 10, 2026
Odyssey Stealer Targets macOS Users and 300 Crypto Wallet Extensions Globally
July 10, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us