A targeted social engineering attack against DigiCert’s support channel led to the compromise of internal systems and the unauthorized issuance of EV Code Signing certificates.
DigiCert is a global Certificate Authority (CA) providing digital trust services, specializing in TLS/SSL certificates, PKI management, and IoT security.
According to DigiCert’s incident report, a threat actor contacted the support team via a customer chat channel and delivered a malicious ZIP file disguised as a customer screenshot, which contained a .scr file, a format used to install and configure Windows screensavers.
“The threat actor used a limited function within the customer-support portal which allows authenticated DigiCert support analysts to access customer accounts from the customer’s perspective,” DigiCert wrote, noting that the feature does not permit actions such as managing accounts, users, API-keys, or submitting or managing orders.
“However, the threat actor was able to use this function to access initialization codes for orders that were approved but pending delivery.”
While several delivery attempts were blocked, the attacker ultimately compromised two support systems, gaining access to internal tools.
The first compromised system was identified and contained within 24 hours, while a second system remained undetected for almost two weeks. Apparently, a misconfigured CrowdStrike EDR agent was to blame.
“The CrowdStrike prevention setting on ENDPOINT1 was below the intended organizational standard at the time of the initial compromise, allowing the malicious payload to execute before blocking engaged,” DigiCert said.
“The CrowdStrike sensor on ENDPOINT2 was absent, degraded, or non-reporting. As a result, no detection fired on the compromised machine.”
DigiCert explained that an initialization code, when paired with an approved order, is enough to retrieve a certificate. By accessing both, the attacker was able to generate legitimate EV Code Signing certificates across multiple accounts.
DigiCert revoked 60 code signing certificates, including 27 tied to the attacker’s activity. Of those, 11 were identified through certificate problem reports submitted by community members linking them to malware, while 16 were identified during the company’s internal investigation.
The rest were pulled as a precaution, as customer control could not be confirmed. All were revoked within 24 hours of discovery, and pending orders were cancelled to prevent further abuse.
A community member found the exploited certificates were used to sign the Zhong Stealer malware family, which has been linked to Chinese e-crime activity and cryptocurrency theft.
The company described itself as “lucky,” noting that a security researcher reported the misuse of certificates and engaged with the support team, helping uncover the second compromised system that might otherwise have remained undetected.
Microsoft Defender mistakenly flags trusted DigiCert certificates as malware
In a related development, Microsoft Defender mistakenly detected legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, triggering widespread false-positive alerts and, in some cases, removing certificates from Windows systems.
Cybersecurity expert Florian Roth was among the first to flag the issue publicly, posting on X and urging the security community to investigate. Roth also shared guidance to help administrators verify whether affected certificates had been restored.
Microsoft acknowledged the issue and fixed the false detections in updated Defender security intelligence releases, including version 1.449.430.0, which stopped the incorrect alerts.
