Initial Compromise via Malicious Screensaver
In early April 2026, a threat actor breached DigiCert’s internal support environment by tricking analysts into opening a weaponized screensaver file. The attacker contacted support through a Salesforce chat channel and sent a ZIP archive containing a .scr executable disguised as a customer screenshot. While CrowdStrike blocked the first four delivery attempts, a fifth succeeded on April 2, compromising a machine used by a support analyst. DigiCert’s Trust Operations team isolated that machine the next day, but a critical oversight remained. A second endpoint, also compromised on April 4, evaded detection due to a malfunctioning CrowdStrike sensor. This breach went unnoticed until April 14, giving the attacker ten days of unrestricted access.
Certificate Theft and Malware Distribution
Using the compromised analyst accounts, the attacker accessed DigiCert’s internal customer support portal. They exploited a feature that lets support staff view customer accounts from the customer’s perspective. While restricted from account management or API key access, this feature exposed initialization codes for approved but undelivered EV Code Signing certificate orders. Possession of an initialization code combined with an approved order allowed the attacker to activate genuine certificates. Between April 14 and 17, DigiCert revoked 60 certificates, with 27 directly linked to the attacker and the rest revoked as a precaution. The stolen certificates were used to sign payloads for Zhong Stealer malware, a family tied to cryptocurrency theft and linked to the Chinese e crime group GoldenEyeDog (APT Q 27). The malware’s attack chain used signed binaries to evade endpoint detection, retrieving additional payloads from cloud services like AWS.
Response and Remediation
DigiCert revoked all 60 compromised certificates within 24 hours of discovery and implemented several security changes. These included blocking proxied support users from viewing Code Signing initialization codes at both the UI and API layers, disabling Okta FastPass for support portal access, tightening MFA requirements, and suspending affected analyst accounts. Pending Code Signing orders were canceled to eliminate residual attacker access. Seven attacker IP addresses were identified. Organizations relying on code signing validation should verify that all revoked certificates have propagated across CRL and OCSP infrastructure and are not trusted in any internal allowlists or pinned certificate configurations.
Source: Cybersecuritynews
