DigiCert Revokes 60 Certificates After Support Portal Breach

Certificate authority DigiCert has revoked 60 code signing certificates after threat actors breached its internal support portal through a social engineering attack disguised as a customer screenshot. Eleven of those certificates were used to sign the Zhong Stealer malware family, effectively weaponizing the trust infrastructure that's supposed to protect users from malicious software.

The breach highlights how attackers are increasingly targeting certificate authorities—the organizations that underpin digital trust across the internet—as a force multiplier for their operations.

What Happened

The attack began on April 2, 2026, when threat actors delivered malware through DigiCert's customer chat channel. The payload was disguised as a screenshot, a common attachment in support interactions. Once opened, the malware infected an employee endpoint and established initial access to DigiCert's internal systems.

DigiCert identified the first compromised endpoint on April 3. However, due to malfunctioning security solutions, a second infected system wasn't discovered until April 14—giving attackers nearly two weeks of access before full containment.

By April 17, DigiCert had revoked 60 certificates and canceled pending orders that may have been compromised. Of these, 27 were explicitly linked to the threat actor, with 11 confirmed as signing certificates for Zhong Stealer variants.

How Attackers Exploited Certificate Operations

The attackers targeted Extended Validation (EV) Code Signing certificates specifically—the highest-trust certificates used to sign software. EV certificates are supposed to provide strong assurance that software comes from a verified, legitimate publisher. They're harder to obtain and carry more weight with Windows SmartScreen and other security tools.

According to DigiCert's disclosure, attackers gained access to:

• Initialization codes for pending certificate orders
• Approved order information waiting for certificate issuance
• The ability to proxy into customer accounts through support analyst credentials

With this access, attackers could essentially intercept certificates between approval and delivery, obtaining legitimate EV signing certificates under false pretenses. These certificates then made their malware appear trustworthy to security software and users alike.

The Zhong Stealer Connection

Zhong Stealer is an information-stealing malware targeting cryptocurrency wallets, browser credentials, and financial data. Variants signed with the stolen DigiCert certificates would have bypassed many security controls because the digital signatures appeared legitimate.

This isn't the first time we've seen malware authors exploit code signing to evade detection. But targeting a certificate authority directly represents an escalation. Rather than stealing individual signing keys from software companies, attackers went after the source—the organization that issues certificates in the first place.

The technique parallels supply chain compromises targeting package managers and CI/CD systems. Compromise one trusted point in the chain, and everything downstream inherits that false trust.

DigiCert's Response

DigiCert has implemented several security controls in response to the breach:

• Multi-factor authentication requirements for administrative workflows
• Prevention of initialization code access from proxied support sessions
• File type restrictions on support chat attachments
• Enhanced logging and monitoring systems
• Revocation of all potentially compromised certificates

The company emphasized that the breach affected "a finite set of approved orders" across multiple customer accounts. However, they did not disclose specific customer names or the full scope of data accessed during the attackers' two-week window.

Why This Matters

Certificate authority breaches threaten the fundamental trust model of the internet. When we install software signed by a trusted certificate, we're relying on the CA to have properly verified the publisher's identity. If attackers can obtain certificates fraudulently, that verification means nothing.

The certificates used to sign Zhong Stealer would have appeared completely legitimate to most security tools. Windows SmartScreen warnings wouldn't fire. Antivirus heuristics that flag unsigned executables would see a valid signature. Users who've been trained to look for signed software would have no warning.

This attack also demonstrates how support operations can become security weak points. Customer service teams necessarily have elevated access to help users resolve problems. That same access becomes a liability if an attacker can pose as a customer or trick an employee into opening a malicious file.

Organizations relying on DigiCert certificates should verify their certificates weren't among those revoked. If you're using EV code signing certificates, check DigiCert's communications and the certificate transparency logs for any unexpected activity on your accounts.

The broader lesson: treat certificate authorities as critical supply chain dependencies. Know which CAs you rely on, monitor for unexpected certificate activity through certificate transparency logs, and have revocation procedures ready in case your signing certificates are ever compromised.

Frequently Asked Questions

How do I know if my certificates were affected?

DigiCert has been contacting affected customers directly. You can also check certificate transparency logs at crt.sh for any unexpected certificates issued to your organization. If you had pending EV code signing orders between April 2-17, 2026, contact DigiCert support to verify their status.

What should I do if I find software signed with a revoked certificate?

Treat it as potentially malicious. The certificate being revoked doesn't automatically remove the malware—it just means Windows will no longer trust the signature. Scan the software with updated security tools and obtain a fresh copy from a verified source.