Hackers Trick DigiCert Into Issuing Certificates Used to Sign Malware

Summary

Hackers tricked DigiCert support staff into executing malware via a disguised ZIP file attachment, compromising two endpoints and gaining access to certificate issuance systems. Using stolen initialization codes as bearer credentials, the attackers procured valid EV Code Signing certificates and used them to sign the Zhong Stealer malware. DigiCert revoked all 60 affected certificates within 24 hours of discovery after an independent researcher disclosed the abuse.

Full text

Data Breaches Malware SecurityHackers Trick DigiCert Into Issuing Certificates Used to Sign Malware DigiCert revokes 60 code signing certificates after hackers used a malicious support chat attachment to sign the Zhong Stealer malware. byDeeba AhmedMay 10, 20262 minute read On 2 April 2026, DigiCert’s support team became the target of a carefully planned attack, which allowed hackers to steal EV Code Signing certificates by simply pretending to be a customer in a help chat. According to DigiCert’s official advisory and incident response report (filed as Bug 2033170 in Mozilla’s CA compliance tracker), the attacker contacted a support agent via a chat channel and sent a ZIP file disguised as a screenshot. This file contained a malicious executable file named k3.exe (an .scr file). Though DigiCert’s internal security tools caught the threat four times, because agents are expected to open files from customers to provide help, the staff member kept trying. On the fifth attempt, the malware got through and infected the workstation, known as ENDPOINT1. Based in Utah, DigiCert is one of the world’s largest Certificate Authorities, responsible for verifying that websites and software are legitimate. A Second Victim While the company thought the situation was under control by 3 April, a second machine, ENDPOINT2, was also compromised on 4 April. This machine had a malfunctioning CrowdStrike sensor, which created a gap in their Endpoint Detection and Response (EDR), due to which no telemetry data reached the security team to warn them of the breach. This gap allowed the hackers to reach an internal support portal. From there, they could see initialization codes for certificate orders. In the wrong hands, these codes act as “bearer credentials,” DigiCert explained, and “possession of the initialisation code, combined with an approved order, is functionally sufficient to generate and retrieve the corresponding certificate.” This means the hackers had everything they needed to issue their own valid EV Code Signing certificates. “The threat actor was able to procure initialization codes for a limited number of code signing certificates, a few of which were then used to sign malware. The identified certificates were revoked within 24 hours of discovery, and the revocation date set to their date of issuance. As a precautionary measure, pending orders within the window of interest were cancelled,” DigiCert’s investigation revealed. Discovery of the Zhong Stealer The breach was disclosed on 14 April when an independent researcher noticed that the Zhong Stealer malware was being signed with real DigiCert signatures. It was later identified that the hackers managed to breach the system 27 times, and collectively, DigiCert had to revoke 60 certificates to prevent further damage. The investigation also found that the hackers used Okta FastPass to stay logged in. Since they were on a compromised computer, the system thought they were the real staff member and didn’t ask for extra identity checks. Fixing the Portal By 17 April 2026, the company had revoked all affected certificates and made some big changes, like blocking .scr files in chats and masking secret codes in their portal so agents cannot see them. DigiCert admitted they got a bit lucky that a researcher spoke up, noting that without that tip, the “active certificate theft might still be running today.” CertificatesCyber AttackCybersecuritydata breachDigiCertMalwareMozilla Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Cyber Attacks Malware Chinese Hackers Exploit Cityworks 0-Day to Hit US Local Governments Cisco Talos warns of active exploitation of a zero-day vulnerability (CVE-2025-0994) in Cityworks supposedly by Chinese hackers from… byDeeba Ahmed Hacking News Security Hackers leave ransom note after wiping out MongoDB in 13 seconds For the last couple of years, hackers have been exploiting unprotected MongoDB based servers to steal data and hold… byWaqas Security Leaks Private Details of 240,000 DHS Employees Accessed after Data Breach A data breach targeted towards the Department of Homeland Security (DHS) has resulted in the exposure of personally… byUzair Amir Malware Security 5 Common network channels used by malware Living in a modern digital era of computers can bring a lot of risks including data exfiltration to… byAsad Gilani

Indicators of Compromise

• malware — Zhong Stealer

Entities