On 2 April 2026, DigiCert’s support team became the target of a carefully planned attack, which allowed hackers to steal EV Code Signing certificates by simply pretending to be a customer in a help chat.
According to DigiCert’s official advisory and incident response report (filed as Bug 2033170 in Mozilla’s CA compliance tracker), the attacker contacted a support agent via a chat channel and sent a ZIP file disguised as a screenshot. This file contained a malicious executable file named k3.exe (an .scr file).
Though DigiCert’s internal security tools caught the threat four times, because agents are expected to open files from customers to provide help, the staff member kept trying. On the fifth attempt, the malware got through and infected the workstation, known as ENDPOINT1.
Based in Utah, DigiCert is one of the world’s largest Certificate Authorities, responsible for verifying that websites and software are legitimate.
A Second Victim
While the company thought the situation was under control by 3 April, a second machine, ENDPOINT2, was also compromised on 4 April. This machine had a malfunctioning CrowdStrike sensor, which created a gap in their Endpoint Detection and Response (EDR), due to which no telemetry data reached the security team to warn them of the breach.
This gap allowed the hackers to reach an internal support portal. From there, they could see initialization codes for certificate orders. In the wrong hands, these codes act as “bearer credentials,” DigiCert explained, and “possession of the initialisation code, combined with an approved order, is functionally sufficient to generate and retrieve the corresponding certificate.” This means the hackers had everything they needed to issue their own valid EV Code Signing certificates.
“The threat actor was able to procure initialization codes for a limited number of code signing certificates, a few of which were then used to sign malware. The identified certificates were revoked within 24 hours of discovery, and the revocation date set to their date of issuance. As a precautionary measure, pending orders within the window of interest were cancelled,” DigiCert’s investigation revealed.
Discovery of the Zhong Stealer
The breach was disclosed on 14 April when an independent researcher noticed that the Zhong Stealer malware was being signed with real DigiCert signatures. It was later identified that the hackers managed to breach the system 27 times, and collectively, DigiCert had to revoke 60 certificates to prevent further damage.
The investigation also found that the hackers used Okta FastPass to stay logged in. Since they were on a compromised computer, the system thought they were the real staff member and didn’t ask for extra identity checks.
Fixing the Portal
By 17 April 2026, the company had revoked all affected certificates and made some big changes, like blocking .scr files in chats and masking secret codes in their portal so agents cannot see them. DigiCert admitted they got a bit lucky that a researcher spoke up, noting that without that tip, the “active certificate theft might still be running today.”
