A breach of DigiCert’s internal support environment in early April 2026 allowed a threat actor to obtain stolen EV code signing certificates that were later used to distribute the Zhong Stealer malware family, exposing a serious security failure inside a major certificate authority’s support operations.
Attack Began With Social Engineering of Support Staff
The intrusion began on April 2, 2026 when a threat actor contacted DigiCert’s customer support team through a Salesforce based chat channel and repeatedly sent a malicious ZIP file disguised as a customer screenshot. The archive contained a .scr screensaver executable, exploiting Windows’ treatment of such files as native executables.
CrowdStrike and other endpoint defences blocked four consecutive delivery attempts, but a fifth succeeded and compromised a machine identified as ENDPOINT1, which was operated by a support analyst. DigiCert’s Trust Operations team detected and isolated that machine by April 3.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Second Compromise Opened Path to Certificate Abuse
Despite that initial containment, there is a critical blind spot in the investigation. A second machine, ENDPOINT2, was also compromised through the same delivery method on April 4, but DigiCert only discovered that breach on April 14, giving the attacker a ten day window of unrestricted access.
Using compromised analyst accounts, the threat actor accessed DigiCert’s internal customer support portal and exploited a feature that allowed authenticated support staff to view customer accounts from the customer’s perspective. While the function did not permit account management, API key access or order submission, it exposed initialization codes for approved but undelivered EV code signing certificate orders across a limited set of customer accounts.
The possession of an initialization code, when combined with an already approved order, was sufficient to obtain and activate a valid certificate. That gave the attacker a direct route to legitimate certificate authority signed credentials, creating conditions for trusted looking malware delivery.
Revocations, Malware Use and Response Measures
Between April 14 and April 17, 2026, DigiCert revoked 60 EV code signing certificates issued from four certificate authorities. Of those, 27 were explicitly linked to the threat actor through community submitted certificate problem reports, while 16 were identified during DigiCert’s own investigation. The remaining 33 were revoked as a precaution where customer control could not be confirmed.
The stolen certificates were used to digitally sign payloads delivering Zhong Stealer, a malware family previously associated in the material with cybercrime groups involved in cryptocurrency theft. Security researchers linked the campaign to GoldenEyeDog, also identified as APT Q 27, though the material says it remains unclear whether that group was directly responsible for the DigiCert breach itself.
The malware chain used phishing lures with fake screenshots, first stage decoy payloads and retrieval of additional malware from cloud services such as AWS, with digitally signed binaries specifically intended to evade endpoint detection. DigiCert said all 60 compromised certificates were revoked within 24 hours of discovery and that it introduced code changes blocking proxied support users from viewing code signing initialization codes at both the user interface and API layers, disabled Okta FastPass for support portal access, tightened MFA requirements and suspended the accounts of affected analysts.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
