DigiCert Breached After Malicious Screensaver File Used

A sophisticated social engineering attack on DigiCert’s customer support channel resulted in a breach of internal systems and the unauthorized issuance of EV Code Signing certificates. DigiCert, a global Certificate Authority (CA) known for TLS/SSL certificates, PKI management, and IoT security, disclosed the incident in a detailed report.

The attacker contacted the support team through a customer chat channel and delivered a malicious ZIP file disguised as a customer screenshot. Inside was a .scr file, a Windows screensaver format that can execute code. The threat actor exploited a feature in the customer-support portal that allows authenticated analysts to view accounts from a customer’s perspective. While this feature does not permit account management, user changes, or order submissions, it did allow access to initialization codes for approved but undelivered orders.

Although several delivery attempts were blocked, the attacker managed to compromise two support systems, gaining access to internal tools. The first system was identified and contained within 24 hours, but the second went undetected for nearly two weeks. DigiCert explained that a CrowdStrike prevention setting on the first endpoint was below the intended organizational standard, allowing the malicious payload to execute before blocking engaged. On the second endpoint, the CrowdStrike sensor was absent, degraded, or non-reporting, so no detection occurred.

An initialization code, when combined with an approved order, is sufficient to retrieve a certificate. By accessing both, the attacker generated legitimate EV Code Signing certificates across multiple accounts. DigiCert revoked 60 code signing certificates, including 27 directly tied to the attacker’s activity. Of those, 11 were identified through certificate problem reports from community members linking them to malware, while 16 were found during the company’s internal investigation. The remaining certificates were revoked as a precaution because customer control could not be confirmed. All revocations occurred within 24 hours of discovery, and pending orders were cancelled to prevent further abuse.

A community member discovered that the exploited certificates were used to sign the Zhong Stealer malware family, which has been linked to Chinese e-crime activity and cryptocurrency theft. DigiCert described itself as “lucky” because a security researcher reported the misuse and engaged with the support team, helping uncover the second compromised system that might otherwise have remained hidden.

In a related development, Microsoft Defender mistakenly flagged legitimate DigiCert root certificates as Trojan:Win32/Cerdigent. A!dha, triggering widespread false-positive alerts and, in some cases, removing certificates from Windows systems. Cybersecurity expert Florian Roth was among the first to flag the issue publicly, posting on X and urging the security community to investigate. Roth also shared guidance to help administrators verify whether affected certificates had been restored. Microsoft acknowledged the issue and fixed the false detections in updated Defender security intelligence releases, including version 1.449.430.0, which stopped the incorrect alerts.