Posted in

DigiCert Breach Exposes Stolen Code Signing Certificates

by Rakesh0

A sophisticated cyberattack targeting DigiCert has exposed a critical weakness in code signing trust chains, where attackers successfully obtained EV Code Signing certificates by using a weaponized screensaver file.

The breach, which began in early April 2026, demonstrates how modern attackers combine social engineering, endpoint compromise, and trust infrastructure abuse to distribute malware at scale.

In this case, stolen certificates were used to sign payloads delivering the Zhong Stealer malware, allowing attackers to bypass traditional security controls.

How the DigiCert Attack Unfolded

The attack began with a social engineering campaign targeting DigiCert’s customer support analysts.

Initial access vector

  • Attacker contacted support via a Salesforce chat channel
  • Sent a ZIP file disguised as a customer screenshot
  • The archive contained a .scr (screensaver) executable

👉 Important: .scr files are executable in Windows, making them ideal for deception attacks

Multiple delivery attempts

  • Endpoint protections blocked the first 4 attempts
  • The 5th attempt succeeded
  • Result: ENDPOINT1 compromised (April 2, 2026)

By April 3, DigiCert detected and isolated the system.

Second-stage compromise

  • A second machine (ENDPOINT2) was infected
  • Breach date: April 4, 2026
  • Detection delay: 10 days (discovered April 14)

👉 Key takeaway:
This detection gap gave attackers unrestricted access during a critical window

How Attackers Obtained EV Code Signing Certificates

After compromising support analyst accounts, attackers accessed DigiCert’s internal support portal.

Exploited functionality

Support staff have limited access to:

  • View customer accounts
  • Troubleshoot issues

However, the portal also exposed:

👉 Initialization codes for approved EV Code Signing certificate orders

Why this is critical

Possessing:

  • An approved certificate order
  • The corresponding initialization code

👉 is enough to activate a valid, trusted code signing certificate

Result

Attackers gained legitimate certificates that could:

  • Digitally sign malware
  • Bypass security controls
  • Appear trusted by operating systems

Malware Distribution: Zhong Stealer Campaign

The stolen certificates were used to distribute Zhong Stealer, a malware strain associated with:

  • Credential theft
  • Remote access capabilities
  • Cryptocurrency targeting

Attack chain

  1. Phishing lure (fake screenshots)
  2. Initial payload delivery
  3. Secondary payload download (hosted on cloud services like AWS)
  4. Execution of signed binaries to evade detection

👉 Key takeaway:
Signed malware significantly reduces detection rates in endpoint security solutions

Scope of Impact

Between April 14 and April 17, 2026:

  • 60 EV Code Signing certificates revoked
  • 27 directly linked to attacker activity
  • 16 identified during investigation
  • Remaining revoked as precaution

Affected Certificate Authorities

  • DigiCert Trusted G4 Code Signing CA
  • GoGetSSL G4 Code Signing CA
  • Verokey High Assurance Secure Code EV

Indicators of Compromise (IOCs)

Threat details

  • Malware: Zhong Stealer (RAT/Stealer hybrid)
  • Suspected group: GoldenEyeDog (APT-Q-27, unconfirmed for breach)

Key indicators

  • Malicious file: .scr executable inside ZIP
  • Delivery method: phishing via support chat
  • Attack window: April 4 – April 17, 2026

Attacker infrastructure (defanged)

  • 82.23.186[.]8
  • 154.12.185[.]32
  • 45.144.227[.]12
  • 203.160.68[.]2
  • 154.12.185[.]30
  • 62.197.153[.]45
  • 45.144.227[.]29

👉 Use controlled platforms (SIEM, MISP, VirusTotal) before re-fanging

Why This Breach Is So Dangerous

1) Abuse of trust infrastructure

Code signing certificates are trusted by:

  • Operating systems
  • Antivirus solutions
  • Endpoint detection tools

👉 Signed malware can bypass security checks

2) Supply chain impact

This is not just a breach—it’s a trust chain compromise

  • Legitimate certificates used maliciously
  • Users unknowingly trust signed payloads

3) Social engineering sophistication

The attack relies on:

  • Human error
  • File format deception (.scr)
  • Persistence through repeated attempts

4) Detection gaps

The 10-day blind spot allowed:

  • Credential abuse
  • Certificate issuance
  • Malware distribution

Real-World Attack Scenarios

1) Enterprise malware execution

  • Signed malware bypasses endpoint protections
  • Executes undetected

2) Crypto theft campaigns

  • Zhong Stealer targets wallets
  • Extracts credentials and tokens

3) Developer environment compromise

  • Signed binaries trusted in pipelines
  • Inject malicious code into builds

4) Long-term persistence

  • Backdoors deployed using trusted binaries
  • Harder to detect and remove

Immediate Mitigation Steps

1) Verify certificate revocation

Ensure all 60 revoked certificates:

  • Are updated in CRL/OCSP systems
  • Are not trusted in internal allowlists

2) Strengthen endpoint security

  • Block executable file types (.scr) in email/chat channels
  • Monitor unusual file execution

3) Harden support environments

  • Restrict file downloads and execution
  • Use sandboxing for all attachments
  • Implement strict Zero Trust access

4) Improve detection and response

  • Monitor privileged account activity
  • Detect abnormal access to certificate workflows
  • Audit internal portal usage

5) Enhance authentication controls

  • Enforce stronger MFA
  • Disable risky authentication methods
  • Monitor session anomalies

Common Mistakes to Avoid

  • Trusting digitally signed files blindly
  • Allowing executable attachments in support workflows
  • Ignoring endpoint alerts after initial blocking
  • Failing to re-check compromised environments

Expert Insights

This breach highlights a major cybersecurity shift:

✅ Attackers are targeting trust infrastructure (certificates)
✅ Code signing is now a weaponized attack vector
✅ Human interaction remains a critical weakness

👉 Trust is no longer binary—verification is continuous

FAQs

What caused the DigiCert breach?
A social engineering attack using a malicious screensaver (.scr) file that compromised support endpoints.

What is Zhong Stealer?
A malware family used for credential theft and remote access, often linked to crypto-focused attacks.

Why are code signing certificates dangerous if stolen?
They allow attackers to sign malware, making it appear legitimate and bypass security controls.

How many certificates were compromised?
60 EV Code Signing certificates were revoked as part of the incident response.

What should organizations do immediately?
Validate certificate revocation, update systems, and monitor for signed malicious binaries.

Conclusion

The DigiCert breach underscores a critical reality:

Cyberattacks are increasingly targeting trust systems, not just vulnerabilities.

By exploiting:

  • Social engineering
  • Endpoint compromise
  • Certificate issuance workflows

…attackers were able to weaponize trusted infrastructure and distribute malware at scale.

Key takeaway

👉 If attackers can sign their malware, they can bypass your defenses

Organizations must:

  • Treat certificates as high-value assets
  • Continuously validate trust chains
  • Harden internal workflows
Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *