A sophisticated threat actor has successfully breached DigiCert, one of the world’s most trusted Certificate Authorities, in a multi-stage attack that combined social engineering, endpoint detection evasion, and the theft of EV (Extended Validation) Code Signing certificates. The stolen certificates were subsequently used to sign malware payloads delivering the Zhong Stealer malware family, enabling attackers to bypass endpoint security tools that rely on certificate trust.
How the Attack Unfolded
On April 2, 2026, a threat actor contacted DigiCert’s customer support team through the company’s Salesforce-based chat platform. Posing as a customer seeking assistance, the attacker repeatedly sent a malicious ZIP archive disguised as a customer-provided screenshot. The archive contained a .scr file — a Windows screensaver executable — exploiting the fact that Windows treats .scr files as native executables and users rarely scrutinize their extensions.
CrowdStrike and other endpoint defenses on the target workstations blocked four consecutive delivery attempts. On the fifth attempt, the payload succeeded, compromising ENDPOINT1, a machine operated by a DigiCert support analyst. DigiCert’s Trust Operations team detected and isolated ENDPOINT1 by April 3, 2026 — a relatively rapid response. However, the investigation had a critical blind spot.
The 10-Day Undetected Window on ENDPOINT2
On April 4, 2026, the same delivery vector compromised a second machine — ENDPOINT2. A malfunctioning CrowdStrike sensor on this machine created a detection gap, meaning the compromise went entirely undetected during the April 3 investigation. DigiCert only discovered the ENDPOINT2 breach on April 14, 2026 — a ten-day window during which the attacker had unrestricted access to a support analyst’s account and environment.
This gap proved decisive. Using the compromised analyst accounts, the threat actor accessed DigiCert’s internal customer support portal and exploited a feature that allows authenticated support staff to view customer accounts from the customer’s perspective — a “view as customer” proxy capability. While this function does not permit account management, API-key access, or order submissions, it does expose initialization codes for approved but undelivered EV Code Signing certificate orders.
Critically, an initialization code combined with an already-approved certificate order is sufficient to obtain and activate a valid, CA-signed certificate. This gave the attacker a direct pathway to legitimate certificates without ever needing to compromise DigiCert’s core certificate issuance infrastructure.
60 Certificates Revoked, 27 Confirmed Stolen
Between April 14 and April 17, 2026, DigiCert revoked 60 EV Code Signing certificates across four Certificate Authorities:
- DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
- DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
- GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
- Verokey High Assurance Secure Code EV
Of the 60 revoked certificates, 27 were explicitly linked to the threat actor — 11 identified through community-submitted certificate problem reports and 16 discovered during DigiCert’s own internal investigation. The remaining 33 were revoked as a precautionary measure where customer control could not be explicitly confirmed.
Zhong Stealer and the GoldenEyeDog Connection
The stolen certificates were used to digitally sign payloads delivering Zhong Stealer, a malware family previously associated with cybercrime groups involved in cryptocurrency theft. Security researchers have linked the Zhong Stealer campaign to GoldenEyeDog (APT-Q-27), a known Chinese e-crime group, though DigiCert has not confirmed whether GoldenEyeDog was directly responsible for the breach itself.
The malware’s attack chain is sophisticated:
- Phishing lures using fake screenshots — the same social engineering vector used in the DigiCert compromise itself
- First-stage decoy payloads designed to evade initial analysis
- Retrieval of additional malware stages from cloud services including AWS
- Digitally signed binaries using the stolen EV certificates to bypass endpoint detection tools that rely on code-signing trust
This last element is particularly insidious: by using legitimate, CA-signed EV certificates, the malware appeared trustworthy to security tools that check digital signatures. EV Code Signing certificates carry the highest trust level in the Windows ecosystem, meaning signed payloads can bypass SmartScreen warnings and many AV heuristics.
DigiCert’s Remediation Steps
Following the discovery, DigiCert took the following actions:
- All 60 compromised certificates were revoked within 24 hours of discovery
- Code changes were deployed blocking proxied support users from viewing Code Signing initialization codes at both the UI and API layers
- Okta FastPass was disabled for support portal access, with tightened MFA requirements
- Accounts of all affected analysts were suspended
- All pending Code Signing orders were canceled to eliminate any residual threat actor access pathways
- Seven IP addresses used by the attacker were identified and shared with threat intelligence partners
Implications for Organizations Using Code Signing
This breach carries significant implications for the broader software supply chain security ecosystem. If you rely on code signing trust as a security control, consider the following:
- Verify certificate revocation status before trusting signed software, particularly software signed by DigiCert sub-CAs between April 2 and April 17, 2026.
- Monitor for Zhong Stealer indicators of compromise in your environment — particularly processes retrieving payloads from AWS services following execution of signed binaries.
- Review trust policies that automatically allow execution of EV-signed binaries without additional verification.
- Apply the principle of least privilege to any support tooling that provides view-as-customer proxy access, and audit what sensitive data is exposed through such interfaces.
The DigiCert breach is a stark reminder that Certificate Authorities, despite their critical role in internet trust infrastructure, are subject to the same social engineering and endpoint compromise risks as any other organization. The attack succeeded not through a cryptographic vulnerability or infrastructure flaw, but through a disguised file and an undetected endpoint — the oldest playbook in the book, executed with precision.