DigiCert has confirmed they have suffered a substantial security breach, allowing hackers to steal real code-signing certificates.
DigiCert’s position in the industry and the number of company who trust it to keep their online connections safe make this breach a significant issue.
Browsers and operating systems across the globe trust it. Its job is to secure internet communications and software distribution. When that trust gets abused, the entire software ecosystem feels the shiver.
How the breach happened
The incident report reveals the breach originated from fraudulent impersonation of a customer by a threat actor on April 02. They contacted DigiCert’s support team through a chat channel. The attacker kept sending a malicious ZIP archive. It looked like a harmless screenshot. But inside that ZIP was a .scr file, a Windows screensaver. That file carried a nasty payload.
Security tools blocked many of the attempts. But then, a support employee finally opened it on their workstation. That one click was all it took. DigiCert’s Trust Operations team moved fast. They detected and contained that first compromise within hours on April 3. They terminated the malicious processes. Problem solved, right? Not quite.
The compromise lasted weeks
Here’s where things got worse. The very next day, another system got hit by the same trick. But this time, something went wrong. Due to an error in how DigiCert deployed its security tools, the breached endpoint had no EDR protection. So the intrusion went completely unnoticed. For nearly two weeks.
That prolonged access proved critical. The attacker used the compromised support account to get into DigiCert’s internal customer support portal. This portal has a feature that lets analysts view customer accounts in a proxy mode.
It helps with troubleshooting. But that feature exposed sensitive “initialization codes” linked to pending EV code-signing certificate orders. Think of these codes as one-time credentials in the certificate issuance workflow.
Attacker stole codes and certificates from customer accounts
DigiCert later explained that possessing one of those codes, plus an already approved certificate request, is all you need. It’s enough to generate and retrieve a valid EV code-signing certificate. So the attacker harvested these codes from multiple customer accounts. They then fraudulently obtained certificates from several certificate authorities.
DigiCert revoked a total of sixty certificates that were distributed during the exposure period. Of those certificates, 27 were directly connected to the threat actors’ activity. Security researchers, as well as community members, reported a total of eleven certificates that had been used in malware campaigns. DigiCert found another 16 through its own internal investigation. The remaining 33 certificates were revoked just to be safe.
Malware in disguise: The Zhong stealer connection
Now for the really unsettling part. The abused certificates signed payloads for the Zhong Stealer malware. This nasty piece of code steals credentials and cryptocurrency. Researchers have previously tied it to cybercrime operations. They even link it to a group called GoldenEyeDog, also known as APT-Q-27.
Thanks to researchers like @malwrhunterteam and @g0njxa, we know that EV certificates from companies like Lenovo, Kingston, Shuttle Inc, and Palit Microsystems ended up in the wrong hands. A Chinese crime group used them.
DigiCert’s response and what’s changing
DigiCert emphasizes that the attacker only accessed code-signing initialization data. No evidence suggests a broader system compromise. They didn’t misuse other validation processes or issue other certificate types. And here’s a silver lining: the company revoked every identified malicious or exposed certificate within 24 hours of discovery.
Since the incident, DigiCert has rolled out several security upgrades. They now have stricter file upload controls, enhanced endpoint monitoring, and made phishing-resistant multi-factor authentication mandatory for support workflows. Also, they started masking those dangerous initialization codes.
DigiCert says they’re tightening things up with just-in-time access and sharper anomaly detection for their systems. But this whole situation illustrates that even guardians of trust make mistakes. Obtaining trusted certificates provides attackers with the potential to deploy legitimate-looking malicious software so much so that it may be difficult for even an expert to identify.
At its core, this breach was a sophisticated form of identity theft, criminals stealing digital credentials to impersonate trusted entities. Learn more about what identity theft is, how it works, and how to protect yourself in our complete guide if you need (we recommend you read that guide).
