A sophisticated threat actor breached DigiCert’s internal support environment in early April 2026 through a targeted social engineering campaign, ultimately stealing EV Code Signing certificates to distribute the Zhong Stealer malware family, a RAT/stealer hybrid previously linked to cryptocurrency theft operations.
On April 2, 2026, the attacker contacted DigiCert’s customer support team via its Salesforce-based chat channel, repeatedly sending a malicious ZIP archive disguised as a customer screenshot.
Buried inside the archive was a .scr (screensaver) executable, a well-known social engineering technique that exploits Windows’ native treatment of .scr files as runnable executables.
Zhong Stealer Malware via Stolen Certificates
CrowdStrike and other endpoint defenses successfully blocked four consecutive delivery attempts.
The fifth attempt succeeded, compromising ENDPOINT1, a machine operated by a support analyst. DigiCert’s Trust Operations team detected and isolated the machine by April 3, 2026.
Despite the swift initial response, investigators missed a parallel compromise. On April 4, 2026, ENDPOINT2 was compromised via the same delivery vector.
Still, DigiCert only discovered the breach on April 14, 2026, leaving a ten-day window of unrestricted attacker access, as disclosed in the Mozilla Bugzilla incident report.
Using compromised analyst accounts, the threat actor accessed DigiCert’s internal customer support portal and abused a legitimate feature allowing authenticated staff to view customer accounts from the customer’s perspective.
While this feature restricts account management, API-key access, and order submissions, it exposes initialization codes for approved but undelivered EV Code Signing certificate orders, a critical exposure point.
Combining an initialization code with an already-approved order is sufficient to obtain and activate a valid, CA-signed certificate, giving the attacker a direct pathway to trusted signing credentials.
Between April 14 and April 17, 2026, DigiCert revoked 60 EV Code Signing certificates issued by four CAs:
- DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
- DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
- GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
- Verokey High Assurance Secure Code EV
Of the 60 revoked certificates, 27 were directly attributed to the threat actor 11 identified via community-submitted certificate problem reports, and 16 were discovered during DigiCert’s internal investigation.
The remaining 33 were revoked as a precautionary measure, where customer control could not be explicitly confirmed.
The stolen certificates were used to digitally sign payloads that delivered Zhong Stealer, a malware family previously associated with cybercrime groups involved in cryptocurrency theft.
Security researchers have tentatively linked the campaign to GoldenEyeDog (APT-Q-27), a known Chinese e-crime group, though direct attribution for the DigiCert breach itself remains unconfirmed.
The attack chain leverages phishing lures with fake screenshots, first-stage decoy payloads, and the retrieval of secondary malware from cloud services, including AWS, using digitally signed binaries specifically designed to bypass endpoint detection controls.
Indicators of Compromise (IOCs)
| Indicator | Details |
|---|---|
| Malware Family | Zhong Stealer (RAT/Stealer hybrid) |
| Attributed Threat Actor | GoldenEyeDog / APT-Q-27 (unconfirmed for breach) |
| Malicious File Type | .scr executable inside ZIP archive |
| Attacker IPs | 82.23.186[.]8, 154.12.185[.]32, 45.144.227[.]12, 203.160.68[.]2, 154.12.185[.]30, 62.197.153[.]45, 45.144.227[.]29 |
| Total Certificates Revoked | 60 EV Code Signing |
| Certificates Attributed to Attacker | 27 |
| Non-Compliance Window | April 4 – April 17, 2026 |
Mitigation:
All 60 compromised certificates were revoked within 24 hours of discovery. DigiCert deployed code changes blocking proxied support users from viewing Code Signing initialization codes at both the UI and API layers, disabled Okta FastPass for support portal access, tightened MFA requirements, suspended affected analyst accounts, and canceled all pending Code Signing orders to eliminate residual attacker access.
Organizations relying on code-signing validation should immediately verify that all 60 revoked DigiCert certificates have propagated across their CRL/OCSP infrastructure and are not trusted in any internal allowlists or pinned certificate configurations.
No Comment! Be the first one.