DigiCert Hacked via Weaponized Screensaver File to Obtain EV Code Signing Certificates

HomeCyber Security DigiCert Hacked via Weaponized Screensaver File to Obtain EV Code Signing Certificates By Guru Baran May 4, 2026 A sophisticated threat actor breached DigiCert’s internal support environment in early April 2026 by tricking support analysts into executing a disguised malicious screensaver file, ultimately obtaining stolen EV Code Signing certificates used to distribute the “Zhong Stealer” malware family. On April 2, 2026, a threat actor contacted DigiCert’s customer support team through a Salesforce-based chat channel and repeatedly sent a malicious ZIP file disguised as a customer screenshot. The archive contained a .scr (screensaver) executable, a classic social engineering trick that abuses Windows’ treatment of .scr files as native executables. CrowdStrike and other endpoint defenses blocked four consecutive delivery attempts, but a fifth attempt succeeded, compromising ENDPOINT1, a machine operated by a support analyst. DigiCert’s Trust Operations team detected and isolated that machine by April 3, 2026. Despite the initial containment, the investigation had a critical blind spot. On April 4, 2026, a second machine, ENDPOINT2, was confirmed to have been compromised through the same delivery vector, also on April 4. DigiCert only discovered the ENDPOINT2 breach on April 14, 2026, a ten-day window during which the attacker had unrestricted access. Using the compromised analyst accounts, the threat actor accessed DigiCert’s internal customer support portal and exploited a feature that allows authenticated support staff to view customer accounts from the customer’s perspective. While this function is restricted, it does not permit account management, API-key access, or order submissions. It does expose initialization codes for approved but undelivered EV Code Signing certificate orders across a finite set of customer accounts. Critically, possession of an initialization code combined with an already-approved order is sufficient to obtain and activate a valid certificate, giving the attacker a direct pathway to legitimate, CA-signed credentials. Zhong Stealer Malware via Stolen Certificates Between April 14 and April 17, 2026, DigiCert revoked 60 EV Code Signing certificates issued from four Certificate Authorities: DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1, DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1, and Verokey High Assurance Secure Code EV. Of the 60 revoked certificates, 27 were explicitly linked to the threat actor 11 identified through community-submitted certificate problem reports, and 16 were discovered during DigiCert’s own investigation. The remaining 33 were revoked as a precautionary measure, where customer control could not be explicitly confirmed. The stolen certificates were used to digitally sign payloads delivering Zhong Stealer, a malware family previously associated with cybercrime groups involved in cryptocurrency theft. Security researchers have linked the Zhong Stealer campaign to GoldenEyeDog (APT-Q-27), a known Chinese e-crime group, though it remains unclear whether this group was directly responsible for the DigiCert breach itself. The malware’s attack chain includes phishing lures with fake screenshots, first-stage decoy payloads, and retrieval of additional malware from cloud services such as AWS, with digitally signed binaries used specifically to evade endpoint detection. All 60 compromised certificates were revoked within 24 hours of discovery. DigiCert deployed code changes blocking proxied support users from viewing Code Signing initialization codes at both the UI and API layers, disabled Okta FastPass for support portal access, tightened MFA requirements, and suspended the accounts of affected analysts. Pending Code Signing orders were also canceled to eliminate any residual threat actor access. Seven IP addresses used by the attacker during certificate installation were identified: 82.23.186[.]8, 154.12.185[.]32, 45.144.227[.]12, 203.160.68[.]2, 154.12.185[.]30, 62.197.153[.]45, and 45.144.227[.]29. Key IOCs and Indicators Indicator Details Malware family Zhong Stealer (RAT/Stealer hybrid) Attributed threat actor GoldenEyeDog / APT-Q-27 (unconfirmed for breach) Malicious file types .scr executable inside ZIP archive Attacker IPs 82.23.186[.]8, 154.12.185[.]32, 45.144.227[.]12, 203.160.68[.]2, 154.12.185[.]30, 62.197.153[.]45, 45.144.227[.]29 Total certificates revoked 60 EV Code Signing Certificates directly attributed to attacker 27 Non-compliance window April 4 – April 17, 2026 Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Organizations relying on code-signing validation should immediately verify that all 60 revoked DigiCert certificates have propagated across their CRL/OCSP infrastructure and are not trusted in any internal allowlists or pinned certificate configurations. Free Webinar to align your endpoint security to meet new requirements – Register Now Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Chinese Silk Typhoon Hacker Extradited to the U.S. from Italy DOJ Sentences Two Americans to Prison for ALPHV BlackCat Attacks on U.S. Victims Linux Kernel 0-Day “Copy Fail” Roots Every Major Distribution Since 2017 FBI and CISA Released Zero Trust Principles Implementation Guide for OT Environments Cursor AI Extension Access Developer Tokens Leads to Full Credential Compromise Latest News Cyber Security News New Attribution Framework Connects APT Campaigns Through Strategic, Operational, and Technical Layers Cyber Security WhatsApp Vulnerability Lets Attackers Leverage Instagram Reels to Execute Malicious URLs Cyber Security News Instagram’s to End Encrypted Chats for Direct Messages Cyber Security News Beware of Fake ‘Notepad++ for Mac’ Website, Possibly Could Harm your Machine Android Critical Android Zero-Click Vulnerability Grants Remote Shell Access