A classy menace actor breached DigiCert’s inner help atmosphere in early April 2026 by tricking help analysts into executing a disguised malicious screensaver file, in the end acquiring stolen EV Code Signing certificates used to distribute the “Zhong Stealer” malware household.
On April 2, 2026, a menace actor contacted DigiCert’s buyer help staff by way of a Salesforce-based chat channel and repeatedly despatched a malicious ZIP file disguised as a buyer screenshot.
The archive contained a .scr (screensaver) executable, a basic social engineering trick that abuses Home windows’ remedy of .scr recordsdata as native executables.
CrowdStrike and different endpoint defenses blocked 4 consecutive supply makes an attempt, however a fifth try succeeded, compromising ENDPOINT1, a machine operated by a help analyst. DigiCert’s Belief Operations staff detected and remoted that machine by April 3, 2026.
Regardless of the preliminary containment, the investigation had a essential blind spot. On April 4, 2026, a second machine, ENDPOINT2, was confirmed to have been compromised by way of the identical supply vector, additionally on April 4.
DigiCert only discovered the ENDPOINT2 breach on April 14, 2026, a ten-day window throughout which the attacker had unrestricted entry.
Utilizing the compromised analyst accounts, the menace actor accessed DigiCert’s inner buyer help portal and exploited a characteristic that enables authenticated help workers to view buyer accounts from the shopper’s perspective.
Whereas this operate is restricted, it doesn’t allow account administration, API-key entry, or order submissions. It does expose initialization codes for authorised however undelivered EV Code Signing certificates orders throughout a finite set of buyer accounts.
Critically, possession of an initialization code mixed with an already-approved order is adequate to acquire and activate a legitimate certificates, giving the attacker a direct pathway to reliable, CA-signed credentials.
Zhong Stealer Malware by way of Stolen Certificates
Between April 14 and April 17, 2026, DigiCert revoked 60 EV Code Signing certificates issued from 4 Certificates Authorities: DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1, DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1, and Verokey Excessive Assurance Safe Code EV. Of the 60 revoked certificates, 27 had been explicitly linked to the menace actor 11 recognized by way of community-submitted certificates downside studies, and 16 had been found throughout DigiCert’s personal investigation.
The remaining 33 had been revoked as a precautionary measure, the place buyer management couldn’t be explicitly confirmed.
The stolen certificates had been used to digitally signal payloads delivering Zhong Stealer, a malware household beforehand related to cybercrime teams concerned in cryptocurrency theft.
Safety researchers have linked the Zhong Stealer marketing campaign to GoldenEyeDog (APT-Q-27), a recognized Chinese language e-crime group, although it stays unclear whether or not this group was immediately accountable for the DigiCert breach itself.
The malware’s assault chain consists of phishing lures with faux screenshots, first-stage decoy payloads, and retrieval of extra malware from cloud companies comparable to AWS, with digitally signed binaries used particularly to evade endpoint detection.
All 60 compromised certificates had been revoked inside 24 hours of discovery. DigiCert deployed code adjustments blocking proxied help customers from viewing Code Signing initialization codes at each the UI and API layers, disabled Okta FastPass for help portal entry, tightened MFA necessities, and suspended the accounts of affected analysts.
Pending Code Signing orders had been additionally canceled to eradicate any residual menace actor entry. Seven IP addresses utilized by the attacker throughout certificates set up had been recognized: 82.23.186[.]8, 154.12.185[.]32, 45.144.227[.]12, 203.160.68[.]2, 154.12.185[.]30, 62.197.153[.]45, and 45.144.227[.]29.
Key IOCs and Indicators
| Indicator | Particulars |
|---|---|
| Malware household | Zhong Stealer (RAT/Stealer hybrid) |
| Attributed menace actor | GoldenEyeDog / APT-Q-27 (unconfirmed for breach) |
| Malicious file varieties | .scr executable inside ZIP archive |
| Attacker IPs | 82.23.186[.]8, 154.12.185[.]32, 45.144.227[.]12, 203.160.68[.]2, 154.12.185[.]30, 62.197.153[.]45, 45.144.227[.]29 |
| Whole certificates revoked | 60 EV Code Signing |
| Certificates immediately attributed to attacker | 27 |
| Non-compliance window | April 4 – April 17, 2026 |
[.]) to stop unintentional decision or hyperlinking. Re-fang solely inside managed menace intelligence platforms comparable to MISP, VirusTotal, or your SIEM.Organizations counting on code-signing validation ought to instantly confirm that each one 60 revoked DigiCert certificates have propagated throughout their CRL/OCSP infrastructure and should not trusted in any inner allowlists or pinned certificates configurations.
Free Webinar to align your endpoint safety to satisfy new necessities – Register Now