In early April 2026, DigiCert, a leading certificate authority, experienced a sophisticated cyberattack that compromised its internal support environment. The attackers employed a deceptive method involving a malicious Windows screensaver (.scr) file, ultimately leading to the theft of Extended Validation (EV) Code Signing certificates. These stolen certificates were subsequently used to distribute the Zhong Stealer malware, a tool associated with cybercriminal groups targeting cryptocurrency assets.
The Breach: A Detailed Account
On April 2, 2026, an unidentified threat actor initiated contact with DigiCert’s customer support team via a Salesforce-based chat platform. Posing as a legitimate customer, the attacker repeatedly sent a ZIP archive purportedly containing a screenshot to illustrate a support issue. This archive, however, concealed a malicious .scr file—a type of file that Windows systems recognize as an executable screensaver.
Despite four initial delivery attempts being thwarted by endpoint security measures like CrowdStrike, the fifth attempt succeeded. A support analyst executed the malicious file on a machine referred to as ENDPOINT1, leading to its compromise. DigiCert’s Trust Operations team promptly detected and isolated this machine by April 3, 2026.
However, the investigation overlooked a critical detail. On April 4, 2026, a second machine, ENDPOINT2, was compromised through the same deceptive method. A malfunctioning CrowdStrike sensor on ENDPOINT2 resulted in a detection gap, allowing the breach to go unnoticed until April 14, 2026. This ten-day window provided the attacker with unrestricted access to DigiCert’s internal systems.
Exploitation of Internal Systems
With control over compromised analyst accounts, the attacker accessed DigiCert’s internal customer support portal. They exploited a feature that allows support staff to view customer accounts from the customer’s perspective. While this function restricts certain actions—such as account management, API-key access, or order submissions—it does expose initialization codes for approved but undelivered EV Code Signing certificate orders.
Possessing these initialization codes enabled the attacker to obtain and activate valid certificates without further authorization. This breach underscores the critical importance of securing internal support tools and the potential risks associated with their exploitation.
Distribution of Zhong Stealer Malware
Between April 14 and April 17, 2026, DigiCert revoked 60 EV Code Signing certificates issued from four Certificate Authorities:
– DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
– DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
– GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
– Verokey High Assurance Secure Code EV
Of these, 27 certificates were directly linked to the threat actor, 11 were identified through community-submitted reports, and 16 were discovered during DigiCert’s internal investigation. The remaining 33 were revoked as a precautionary measure where customer control could not be explicitly confirmed.
The stolen certificates were used to digitally sign payloads delivering Zhong Stealer, a malware family previously associated with cybercrime groups involved in cryptocurrency theft. Security researchers have linked the Zhong Stealer campaign to GoldenEyeDog (APT-Q-27), a known Chinese e-crime group. However, it remains unclear whether this group was directly responsible for the DigiCert breach itself.
Implications and Lessons Learned
This incident highlights several critical aspects of cybersecurity:
1. Social Engineering Tactics: The attacker’s use of a seemingly innocuous screensaver file underscores the effectiveness of social engineering. Organizations must educate employees about the risks associated with executing unsolicited files, regardless of their apparent legitimacy.
2. Endpoint Security Vigilance: The initial compromise was detected and contained swiftly. However, the failure of security sensors on ENDPOINT2 allowed the second breach to go unnoticed for ten days. Regular audits and maintenance of security tools are essential to ensure their effectiveness.
3. Internal System Access Controls: The attacker’s ability to exploit internal support tools to access sensitive information highlights the need for stringent access controls and regular reviews of internal system permissions.
4. Certificate Management: The misuse of stolen EV Code Signing certificates to distribute malware emphasizes the importance of robust certificate management practices, including timely revocation and monitoring for unauthorized use.
DigiCert’s Response and Recommendations
In response to the breach, DigiCert took several steps:
– Revocation of Compromised Certificates: All identified compromised certificates were revoked promptly to prevent their misuse.
– Enhanced Monitoring: DigiCert has implemented enhanced monitoring of its internal systems to detect and respond to similar threats more swiftly in the future.
– Employee Training: The company has reinforced training programs to educate employees about social engineering tactics and the importance of vigilance when handling unsolicited files.
DigiCert also recommends that organizations:
– Implement Multi-Factor Authentication (MFA): MFA adds an additional layer of security, making it more difficult for attackers to gain unauthorized access.
– Regularly Update Security Tools: Ensure that all security tools are up-to-date and functioning correctly to detect and prevent breaches.
– Conduct Regular Security Audits: Regular audits can help identify and mitigate potential vulnerabilities within internal systems.
– Educate Employees: Continuous education on the latest cyber threats and social engineering tactics can empower employees to recognize and avoid potential attacks.
Conclusion
The DigiCert breach serves as a stark reminder of the evolving tactics employed by cybercriminals and the importance of comprehensive cybersecurity measures. By understanding the methods used in this attack and implementing robust security practices, organizations can better protect themselves against similar threats in the future.
