Threat actor steals DigiCert code-signing certificates to sign malware
Updated
Updated · news.risky.biz · May 4
Threat actor steals DigiCert code-signing certificates to sign malware
5 articles · Updated · news.risky.biz · May 4
DigiCert said 27 certificates were abused after two tech support staff were socially engineered last month, with one compromised system exposed for nearly two weeks because a CrowdStrike agent was misconfigured.
The intruder accessed EV certificate approval tickets, stole customer initialization codes and obtained certificates; DigiCert revoked all 60 EV code-signing orders processed during the exposure window.
The certificates were used to sign Zhong Stealer payloads linked to the GoldenEyeDog cybercrime group, though DigiCert said a third-party researcher’s report helped uncover the breach quickly.
Passwordless security was meant to be safer. How did it become the backdoor in this digital trust heist?
With AI now able to hack systems, is the entire model of human-verified digital trust already broken?
If the gatekeepers of software trust are compromised, how can anyone know the apps they use are actually safe?
The April 2026 DigiCert Breach: How 27 Stolen EV Code-Signing Certificates Enabled Sophisticated Malware Attacks
Overview
In April 2026, the GoldenEyeDog group launched a social engineering attack on DigiCert's support staff, delivering a malicious screensaver that compromised an employee's workstation and gave attackers access to internal systems. They stole initialization codes and fraudulently issued 27 Extended Validation code-signing certificates under trusted company names, which were then used to sign malware like Zhong Stealer. Despite having CrowdStrike EDR, the breach went undetected for nearly two weeks, allowing extensive misuse. In response, DigiCert revoked 60 certificates and limited new code-signing certificates to one year. Microsoft removed affected DigiCert certificates from Windows trust stores, causing false positives that were later fixed with emergency updates. The incident accelerated industry reforms, including shorter certificate lifespans and mandated hardware security modules for key storage.