Bright Nexus

Published on May 4, 2026

DigiCert breached via malicious screensaver file

Severity

Medium

Detail

A targeted social engineering attack against DigiCert’s support channel resulted in the compromise of internal systems and the unauthorized issuance of Extended Validation (EV) code signing certificates.

The attacker delivered a malicious file disguised as a customer screenshot, allowing initial access to internal support systems. This enabled the misuse of legitimate certificate issuance processes, leading to the generation of trusted certificates that were later linked to malware activity.

The incident highlights the risk of abusing trusted certificate infrastructure, which can allow attackers to distribute signed malware that may evade traditional security controls.

How?

The attack was initiated through DigiCert’s customer support chat, where a threat actor submitted a malicious ZIP file posing as a screenshot. The archive contained a .scr file, which executed a payload upon opening and compromised the endpoint.

Following the compromise, the attacker leveraged a limited support function that allows analysts to access customer accounts from the user’s perspective. While restricted in capability, this feature exposed initialization codes tied to approved certificate orders.

By combining these codes with pending approved requests, the attacker was able to retrieve and generate valid EV code signing certificates.

The impact was exacerbated by endpoint security gaps, including a misconfigured or non-functional EDR solution, which allowed the malicious activity to proceed undetected on affected systems.

The compromised certificates were later used to sign malware, including the Zhong Stealer, associated with cryptocurrency theft activity.

Microsoft Defender mistakenly flags trusted DigiCert certificates as malware

In a related development, Microsoft Defender incorrectly identified legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts and, in some cases, removal of certificates from affected Windows systems.

The issue was initially reported by cybersecurity researcher Florian Roth, who highlighted the behavior and provided guidance for verifying certificate restoration.

Microsoft acknowledged the false detections and resolved the issue in updated Defender security intelligence releases, including version 1.449.430.0, which corrected the alerts.

Source

https://www.helpnetsecurity.com/2026/05/04/digicert-breach-code-signing-certificates-malware/