On April 2, 2026, a threat actor contacted DigiCert’s customer support team through a Salesforce-based chat channel and repeatedly sent a malicious ZIP file disguised as a customer screenshot.
The archive contained a .scr (screensaver) executable, a classic social engineering trick that abuses Windows’ treatment of .scr files as native executables.
CrowdStrike and other endpoint defenses blocked four consecutive delivery attempts, but a fifth attempt succeeded, compromising ENDPOINT1, a machine operated by a support analyst. DigiCert’s Trust Operations team detected and isolated that machine by April 3, 2026.
Despite the initial containment, the investigation had a critical blind spot. On April 4, 2026, a second machine, ENDPOINT2, was confirmed to have been compromised through the same delivery vector, also on April 4.
A malfunctioning CrowdStrike sensor on ENDPOINT2 created a detection gap, meaning this compromise went completely undetected during the April 3 investigation.
DigiCert only discovered the ENDPOINT2 breach on April 14, 2026, a ten-day window during which the attacker had unrestricted access.
Using the compromised analyst accounts, the threat actor accessed DigiCert’s internal customer support portal and exploited a feature that allows authenticated support staff to view customer accounts from the customer’s perspective.
While this function is restricted, it does not permit account management, API-key access, or order submissions. It does expose initialization codes for approved but undelivered EV Code Signing certificate orders across a finite set of customer accounts.
Critically, possession of an initialization code combined with an already-approved order is sufficient to obtain and activate a valid certificate, giving the attacker a direct pathway to legitimate, CA-signed credentials.
Between April 14 and April 17, 2026, DigiCert revoked 60 EV Code Signing certificates issued from four Certificate Authorities: DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1, DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1, and Verokey High Assurance Secure Code EV. Of the 60 revoked certificates, 27 were explicitly linked to the threat actor 11 identified through community-submitted certificate problem reports, and 16 were discovered during DigiCert’s own investigation.
The remaining 33 were revoked as a precautionary measure, where customer control could not be explicitly confirmed.
The stolen certificates were used to digitally sign payloads delivering Zhong Stealer, a malware family previously associated with cybercrime groups involved in cryptocurrency theft.
Security researchers have linked the Zhong Stealer campaign to GoldenEyeDog (APT-Q-27), a known Chinese e-crime group, though it remains unclear whether this group was directly responsible for the DigiCert breach itself.
The malware’s attack chain includes phishing lures with fake screenshots, first-stage decoy payloads, and retrieval of additional malware from cloud services such as AWS, with digitally signed binaries used specifically to evade endpoint detection.
All 60 compromised certificates were revoked within 24 hours of discovery. DigiCert deployed code changes blocking proxied support users from viewing Code Signing initialization codes at both the UI and API layers, disabled Okta FastPass for support portal access, tightened MFA requirements, and suspended the accounts of affected analysts.
Pending Code Signing orders were also canceled to eliminate any residual threat actor access. Seven IP addresses used by the attacker during certificate installation were identified: 82.23.186[.]8, 154.12.185[.]32, 45.144.227[.]12, 203.160.68[.]2, 154.12.185[.]30, 62.197.153[.]45, and 45.144.227[.]29.
| Indicator | Details |
|---|---|
| Malware family | Zhong Stealer (RAT/Stealer hybrid) |
| Attributed threat actor | GoldenEyeDog / APT-Q-27 (unconfirmed for breach) |
| Malicious file types | .scr executable inside ZIP archive |
| Attacker IPs | 82.23.186[.]8, 154.12.185[.]32, 45.144.227[.]12, 203.160.68[.]2, 154.12.185[.]30, 62.197.153[.]45, 45.144.227[.]29 |
| Total certificates revoked | 60 EV Code Signing |
| Certificates directly attributed to attacker | 27 |
| Non-compliance window | April 4 – April 17, 2026 |
[.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.Organizations relying on code-signing validation should immediately verify that all 60 revoked DigiCert certificates have propagated across their CRL/OCSP infrastructure and are not trusted in any internal allowlists or pinned certificate configurations.
Free Webinar to align your endpoint security to meet new requirements – Register Now
The post DigiCert Hacked via Weaponized Screensaver File to Obtain EV Code Signing Certificates appeared first on Cyber Security News.
Mother's Day lands on May 10 this year. This time around, why not get mom…
Ravensburger is one of my overall favorite puzzle brands that just so happens to have…
Call of Duty fans can breathe a sigh of relief as this year's entry will…
Fallout co-creator Tim Cain has shared his fear that some gamers are watching influencers just…
Similar to every other high-end GPU on the market, the AMD Radeon 9070 XT graphics…
Grand Theft Auto 6 won't be coming to PC when the game releases on November…
This website uses cookies.