A sophisticated threat actor breached DigiCert’s internal support environment in early April 2026 by tricking support analysts into executing a disguised malicious screensaver file, ultimately obtaining stolen EV Code Signing certificates used to distribute the “Zhong Stealer” malware family.
On April 2, 2026, a threat actor contacted DigiCert’s customer support team through a Salesforce-based chat channel and repeatedly sent a malicious ZIP file disguised as a customer screenshot.
The archive contained a .scr (screensaver) executable, a classic social engineering trick that abuses Windows’ treatment of .scr files as native executables.
CrowdStrike and other endpoint defenses blocked four consecutive delivery attempts, but a fifth attempt succeeded, compromising ENDPOINT1, a machine operated by a support analyst. DigiCert’s Trust Operations team detected and isolated that machine by April 3, 2026.
Despite the initial containment, the investigation had a critical blind spot. On April 4, 2026, a second machine, ENDPOINT2, was confirmed to have been compromised through the same delivery vector, also on April 4.
A malfunctioning CrowdStrike sensor on ENDPOINT2 created a detection gap, meaning this compromise went completely undetected during the April 3 investigation.
DigiCert only discovered the ENDPOINT2 breach on April 14, 2026, a ten-day window during which the attacker had unrestricted access.
Using the compromised analyst accounts, the threat actor accessed DigiCert’s internal customer support portal and exploited a feature that allows authenticated support staff to view customer accounts from the customer’s perspective.
While this function is restricted, it does not permit account management, API-key access, or order submissions. It does expose initialization codes for approved but undelivered EV Code Signing certificate orders across a finite set of customer accounts.
Critically, possession of an initialization code combined with an already-approved order is sufficient to obtain and activate a valid certificate, giving the attacker a direct pathway to legitimate, CA-signed credentials.
Zhong Stealer Malware via Stolen Certificates
Between April 14 and April 17, 2026, DigiCert revoked 60 EV Code Signing certificates issued from four Certificate Authorities: DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1, DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1, and Verokey High Assurance Secure Code EV. Of the 60 revoked certificates, 27 were explicitly linked to the threat actor 11 identified through community-submitted certificate problem reports, and 16 were discovered during DigiCert’s own investigation.
The remaining 33 were revoked as a precautionary measure, where customer control could not be explicitly confirmed.
The stolen certificates were used to digitally sign payloads delivering Zhong Stealer, a malware family previously associated with cybercrime groups involved in cryptocurrency theft.
Security researchers have linked the Zhong Stealer campaign to GoldenEyeDog (APT-Q-27), a known Chinese e-crime group, though it remains unclear whether this group was directly responsible for the DigiCert breach itself.
The malware’s attack chain includes phishing lures with fake screenshots, first-stage decoy payloads, and retrieval of additional malware from cloud services such as AWS, with digitally signed binaries used specifically to evade endpoint detection.
All 60 compromised certificates were revoked within 24 hours of discovery. DigiCert deployed code changes blocking proxied support users from viewing Code Signing initialization codes at both the UI and API layers, disabled Okta FastPass for support portal access, tightened MFA requirements, and suspended the accounts of affected analysts.
Pending Code Signing orders were also canceled to eliminate any residual threat actor access. Seven IP addresses used by the attacker during certificate installation were identified: 82.23.186[.]8, 154.12.185[.]32, 45.144.227[.]12, 203.160.68[.]2, 154.12.185[.]30, 62.197.153[.]45, and 45.144.227[.]29.
Key IOCs and Indicators
| Indicator | Details |
|---|---|
| Malware family | Zhong Stealer (RAT/Stealer hybrid) |
| Attributed threat actor | GoldenEyeDog / APT-Q-27 (unconfirmed for breach) |
| Malicious file types | .scr executable inside ZIP archive |
| Attacker IPs | 82.23.186[.]8, 154.12.185[.]32, 45.144.227[.]12, 203.160.68[.]2, 154.12.185[.]30, 62.197.153[.]45, 45.144.227[.]29 |
| Total certificates revoked | 60 EV Code Signing |
| Certificates directly attributed to attacker | 27 |
| Non-compliance window | April 4 – April 17, 2026 |
[.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.Organizations relying on code-signing validation should immediately verify that all 60 revoked DigiCert certificates have propagated across their CRL/OCSP infrastructure and are not trusted in any internal allowlists or pinned certificate configurations.
Free Webinar to align your endpoint security to meet new requirements – Register Now
