top of page

Hackers Exploit DigiCert to Issue Malware-Signing Certificates

  • May 10
  • 3 min read

Key Findings


  • DigiCert's support team was compromised on April 2, 2026 when a staff member opened malware disguised as a screenshot in a help chat

  • Attackers obtained initialization codes for EV Code Signing certificates, which function as bearer credentials for issuing valid certificates

  • At least 60 certificates were revoked after hackers used stolen credentials to sign the Zhong Stealer malware

  • A second compromised endpoint with a malfunctioning CrowdStrike sensor allowed attackers to access the internal support portal undetected

  • The breach involved 27 separate intrusions before discovery on April 14


Background


DigiCert, headquartered in Utah, operates as one of the world's largest Certificate Authorities. The company verifies the legitimacy of websites and software by issuing digital certificates that authenticate identity. When DigiCert signs code with their certificates, it tells users that the software comes from a trusted source. This makes stealing their signing certificates extraordinarily valuable to attackers, as malware signed with legitimate DigiCert credentials appears trustworthy to end users and security tools.


The Initial Compromise


On April 2, a DigiCert support agent received a chat message from someone claiming to be a customer. The attacker sent a ZIP file labeled as a screenshot. Inside was a malicious executable named k3.exe, actually an .scr file. DigiCert's internal security tools flagged the threat four times, but because customer support staff routinely open files to help troubleshoot issues, the agent kept retrying. On the fifth attempt, the malware bypassed detection and infected a workstation designated ENDPOINT1.


The Second Breach


While DigiCert believed they had contained the incident by April 3, a second machine called ENDPOINT2 was compromised the following day. This endpoint had a broken CrowdStrike sensor, creating blind spots in their Endpoint Detection and Response system. Without proper monitoring telemetry, the security team never received alerts about the intrusion. The attackers exploited this gap to access DigiCert's internal support portal, where they discovered initialization codes for certificate orders. These codes are essentially bearer credentials, meaning possession of them combined with an approved order is all an attacker needs to generate and retrieve valid certificates.


Accessing Code Signing Certificates


Once inside the portal, the hackers gained the ability to issue their own EV Code Signing certificates. They procured initialization codes for a limited number of certificates, using at least some of them to sign the Zhong Stealer malware. DigiCert later determined that attackers had breached the system 27 times in total, obtaining enough certificates to cause significant damage if left undetected.


Persistence Through Okta FastPass


The attackers maintained access to the compromised endpoint by using Okta FastPass, which allowed them to remain logged in as the legitimate staff member. Since the system believed the attacker was the real employee already authenticated on that computer, it didn't trigger additional identity verification challenges. This persistence mechanism gave the hackers extended access to issue certificates over several days.


Discovery and Response


An independent researcher identified the breach on April 14 when they noticed the Zhong Stealer malware bearing legitimate DigiCert signatures. DigiCert immediately launched an investigation and revoked all 60 affected certificates within 24 hours, setting their revocation dates to their issuance dates. They also cancelled any pending certificate orders that fell within the compromise window.


Remediation Measures


By April 17, DigiCert had implemented several changes to prevent similar attacks. They blocked .scr files from being sent through chat channels and modified their internal portal to mask initialization codes so support agents cannot view them. The company acknowledged that discovering the breach relied on luck, noting that without the researcher's tip-off, the "active certificate theft might still be running today," highlighting a significant gap in their internal detection capabilities.


Sources


  • https://hackread.com/hackers-digicert-issue-certificates-sign-malware/

  • https://news.backbox.org/2026/05/10/hackers-trick-digicert-into-issuing-certificates-used-to-sign-malware/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page