US-based Certificate Authority DigiCert has disclosed a security incident in which attackers infiltrated its internal systems and stole 27 code signing certificates later used to sign malware.
The breach, which occurred in April 2026, was traced to a social engineering campaign targeting DigiCert’s technical support staff. According to the company, the attacker impersonated a customer and convinced employees to download and execute a malicious file disguised as a screenshot. The file, delivered as a ZIP archive, contained a .scr executable (a format typically associated with Windows screensavers) embedded with a malicious payload.
The company says it blocked four initial delivery attempts. However, a fifth attempt succeeded in compromising one employee’s workstation. The intrusion was detected and contained the following day, and DigiCert initially believed the threat had been neutralized.
However, fhe following investigation found a second compromised system, which had been breached on April 4 using the same delivery method. Due to a malfunction in endpoint protection software on that machine, the compromise went undetected during the initial response.
Using access to the compromised systems, the attacker entered DigiCert’s internal support portal via a restricted feature that allows staff to view customer accounts for troubleshooting. While this access did not allow direct account management, it enabled the attacker to retrieve initialization codes tied to approved but undelivered Extended Validation (EV) code signing certificate orders.
By combining the codes with existing approved orders, the attacker was able to issue legitimate code signing certificates across multiple customer accounts. The certificates were later used to sign malware linked to the Zhong Stealer family. The attacker’s activity was traced to several IP addresses, including 82.23.186.8, 154.12.185.32, and 45.144.227.12.
DigiCert said it revoked a total of 60 certificates during its investigation, 27 of which were directly linked to the attacker’s activity. The remaining 33 certificates were revoked as a precaution.
“Our Trust Operations team conducted a detailed review of activity from the compromised endpoints and associated user accounts. This review did not identify related activity within other user accounts,” the company said. “The investigations did not find any misuse of validation information, improper validation actions or other steps that could lead to account settings changes, nor non-Code Signing certificate mis-issuance. In our investigation, we did not find evidence that the threat actor misused other internal systems other than the Code Signing initialization codes within specific accounts.”