A sophisticated threat actor compromised DigiCert’s internal support environment in early April 2026 using a disguised Windows screensaver file, ultimately obtaining stolen EV Code Signing certificates that were later weaponized to distribute the “Zhong Stealer” malware family.
The incident resulted in the emergency revocation of 60 code-signing certificates. It exposed a dangerous chain of vulnerabilities, from social engineering and endpoint detection failures to internal support portal access controls, at one of the world’s most trusted Certificate Authorities (CAs).
DigiCert Hacked via .SCR File
On April 2, 2026, a threat actor posed as a legitimate customer and initiated a conversation through DigiCert’s Salesforce-powered customer support chat channel. The attacker repeatedly sent a malicious ZIP file disguised as a customer screenshot, a low-friction, high-credibility lure specifically designed to bypass suspicion in a support context.
Hidden inside the ZIP was a .scr executable, a Windows screensaver file format that threat actors frequently weaponize to evade file-type restrictions and blend in with benign system files.
Endpoint security controls successfully blocked four of the five delivery attempts. However, the fifth attempt succeeded against ENDPOINT1, a workstation used by a DigiCert support analyst.
Once executed at approximately 23:45 UTC on April 2, the payload launched a multi-stage infection chain involving binaries, including k3.exe, updat.exe, uuu.exe, and VideoManager.exe executing from AppData and Public directories, a common technique used to evade privilege restrictions.
DigiCert’s Trust Operations team detected and isolated ENDPOINT1 by April 3, conducted a partial forensic triage, and scheduled the machine for a full wipe and reimage. At that point, the incident was considered fully contained. It was not.
On April 14, 2026, twelve days after the initial attack, a deeper investigation revealed that a second analyst workstation, ENDPOINT2, had been compromised on April 4, 2026, just one day after the first endpoint was isolated. The threat actor had used the same delivery vector: a malicious ZIP auto-converted into a Salesforce case attachment.
The critical failure enabling this prolonged access was a malfunctioning CrowdStrike sensor on ENDPOINT2. The EDR agent had a configuration gap that prevented it from flagging the malicious activity, allowing the attacker to operate undetected for nearly ten days within DigiCert’s internal environment.
CrowdStrike support confirmed the sensor gap on April 14 at approximately 20:35 UTC. This is a stark reminder that even industry-leading endpoint detection tools can create blind spots when misconfigured or improperly deployed and that post-incident verification of EDR health across all affected systems is not optional.
How Attacker Obtained EV Code Signing Certificates
Once inside ENDPOINT2, the threat actor leveraged a restricted yet powerful feature in DigiCert’s internal support portal: a proxy customer-view function that allows authenticated support analysts to access customer accounts from the customer’s perspective.
While this function does not permit account management, user administration, API key creation, or order submission, it does expose initialization codes for approved but undelivered EV Code Signing certificate orders.
Possession of an initialization code, when combined with an already-approved order, is sufficient to retrieve and activate the resulting EV Code Signing certificate. By exploiting both pieces of information, the threat actor was able to obtain legitimate, trusted EV Code Signing certificates across a finite set of customer accounts and multiple Certificate Authorities, including:
- DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
- DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
- GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
- Verokey High Assurance Secure Code EV
Zhong Stealer Malware
The stolen certificates were not merely hoarded; they were actively weaponized. Community researchers and security professionals submitted third-party certificate problem reports to DigiCert starting as early as April 5, 2026, flagging individual certificate serial numbers linked to malicious activity.
DigiCert’s investigation ultimately confirmed that 27 of the 60 revoked certificates were explicitly tied to the threat actor: 11 were reported by the community as linked to active malware, and 16 were identified through DigiCert’s own internal investigation.
The exploited certificates were used to sign binaries belonging to the “Zhong Stealer” malware family, a credential- and cryptocurrency-theft tool associated with Chinese e-crime activity. Zhong Stealer’s attack chain leverages phishing lures, decoy content, cloud-hosted second-stage payloads, and critically digitally signed binaries to evade endpoint detection.
Using a legitimate EV Code Signing certificate dramatically increases the malware’s ability to bypass antivirus and application control solutions, as the binary carries a trusted cryptographic signature.
The remaining 33 certificates were revoked as a precautionary measure after DigiCert could not explicitly confirm customer control, and all pending orders in the affected window were canceled.
Remediation
DigiCert’s response actions between April 14 and 17 were swift once the full scope was identified:
- All 60 impacted certificates were revoked within 24 hours of identification, with revocation dates backdated to their issuance dates
- A code change preventing proxied support users from viewing Code Signing initialization codes was deployed to the US (UI and API layers) by April 15 and to the EU by April 16
- Okta FastPass was disabled for the support portal and related applications; MFA requirements were tightened for affected administrative workflows on April 14
- Both compromised analyst accounts were suspended and placed on administrative leave pending investigation.
- ENDPOINT2’s hard drive, found to be encrypted, was collected for forensic analysis by Trust Operations
DigiCert confirmed that the threat actor’s access was limited exclusively to Code Signing initialization codes within specific customer accounts, and found no evidence of misuse in other internal systems, non-Code Signing certificate mis-issuance, or improper validation actions.
DigiCert disclosed the following IP addresses used by the threat actor during certificate installation activity:
| IP Address | Role |
|---|---|
| 82.23.186.8 | Threat actor infrastructure |
| 154.12.185.32 | Threat actor infrastructure |
| 45.144.227.12 | Threat actor infrastructure |
| 203.160.68.2 | Threat actor infrastructure |
| 154.12.185.30 | Threat actor infrastructure |
| 62.197.153.45 | Threat actor infrastructure |
| 45.144.227.29 | Threat actor infrastructure |
Organizations should search for these IPs in firewall, proxy, and SIEM logs, particularly in conjunction with any code-signed binaries executed during April 2026.
This breach did not require a zero-day exploit or an advanced persistent threat (APT) toolkit. It required a .scr file in a chat window and one misconfigured EDR agent. Key security takeaways include:
- Restrict file types in support chat channels – block executables, screensavers, and compressed archives from being delivered via customer-facing messaging systems
- Continuously verify EDR sensor health – malfunctioning endpoint protection creates dangerous blind spots; automated health checks and alerting on sensor gaps are essential.
- Apply least-privilege to support portal functions: internal tools that provide proxied views into customer accounts should mask or entirely remove sensitive data, such as certificate initialization codes.
- Monitor for certificate abuse post-issuance – participation in community reporting programs (like those used to identify Zhong Stealer) can dramatically accelerate breach detection.
FAQ
Q1: What is an EV Code Signing certificate, and why is it valuable to attackers?
An EV (Extended Validation) Code Signing certificate is a high-trust cryptographic credential issued to verified software publishers that allows them to digitally sign executables, making signed malware appear legitimate and bypassing many security controls that flag unsigned binaries.
Q2: How did the threat actor obtain certificates without DigiCert’s system generating them directly?
The attacker used compromised analyst credentials to access DigiCert’s support portal and retrieve initialization codes for pre-approved orders, which, combined with the existing approved order status, were sufficient to complete certificate issuance without triggering additional validation steps.
Q3: What is Zhong Stealer, and who is behind it?
Zhong Stealer is a family of malware that steals credentials and cryptocurrencies, associated with Chinese e-crime activity; it uses signed binaries, cloud-hosted payloads, and phishing lures in its multi-stage attack chain to evade detection.
Q4: Are any of the 60 revoked DigiCert certificates still valid and posing a risk?
No, DigiCert confirmed that all 60 impacted certificates were fully revoked, with zero remaining valid certificates, and that all revocations were completed by April 17, 2026, with revocation dates backdated to their original issuance dates.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
