DigiCert Breach Leads to Revocation of Fraudulent Code Signing Certificates
A social engineering attack against DigiCert’s support portal allowed threat actors to generate and misuse legitimate EV Code Signing certificates to sign malware.

DigiCert, a major global Certificate Authority, has confirmed that a targeted social engineering attack against its support team led to the unauthorized issuance of EV Code Signing certificates. The breach, which began on April 2, 2026, allowed threat actors to gain access to internal systems and exploit a support portal feature to intercept initialization codes for approved, pending certificate orders Help Net Security SecurityWeek.
The attack chain began when a threat actor contacted DigiCert’s support channel via a customer chat, delivering a malicious ZIP file disguised as a screenshot. The file contained a .scr (Windows screensaver) payload, which successfully infected two internal endpoints Help Net Security. Once inside, the attackers leveraged a feature that allows support analysts to proxy into customer accounts. While this feature is restricted, it provided the attackers with access to initialization codes. By combining these codes with pre-approved orders, the threat actors were able to generate legitimate EV Code Signing certificates across multiple customer accounts SecurityWeek.
DigiCert’s investigation revealed that the attackers' persistence was aided by security gaps on the compromised machines. On the first endpoint, CrowdStrike prevention settings were below organizational standards, allowing the payload to execute. On the second endpoint, the CrowdStrike sensor was either absent, degraded, or non-reporting, which delayed the discovery of the breach for nearly two weeks Help Net Security. The first system was contained within 24 hours of the April 2 incident, while the second remained undetected until April 14 SecurityWeek.
In total, DigiCert revoked 60 code signing certificates by April 17 to mitigate the risk. Of these, 27 were directly linked to the attacker's activity, with 11 identified by the security community as being used to sign the "Zhong Stealer" malware family, which is associated with Chinese e-crime and cryptocurrency theft Help Net Security. The remaining certificates were revoked as a precautionary measure because customer control could not be verified Help Net Security.
In response to the incident, DigiCert has implemented several security enhancements, including the enforcement of multi-factor authentication for administrative workflows and the restriction of file types allowed in support chats and Salesforce attachments. The company also modified its support portal to prevent proxied users from accessing initialization codes SecurityWeek. Separately, DigiCert experienced a brief, unrelated issue where Microsoft Defender incorrectly flagged legitimate root certificates as malware, though this was resolved in security intelligence update 1.449.430.0 Help Net Security.
This incident highlights the persistent risk of social engineering targeting high-trust infrastructure providers. By compromising the support channel, attackers bypassed traditional perimeter defenses to manipulate the very trust mechanisms that digital certificates are designed to uphold. As threat actors increasingly target the supply chain to sign malicious payloads, the security of Certificate Authority internal workflows remains a critical point of failure for the broader software ecosystem.