Attackers breached DigiCert’s support environment using a disguised malicious file, accessed certificate-related data, and issued legitimate code-signing certificates that were later used to sign malware, turning trust itself into the attack vector.
It started with something that didn’t seem unusual, a file sent to customer support. Just another case, another attachment. But inside that ZIP archive was a disguised .scr screensaver file. And once it was opened, it quietly executed. That’s all it took.
In early April 2026, attackers gained a foothold inside DigiCert, not by breaking encryption or exploiting a zero-day, but by slipping through a human moment. The malicious file gave them initial access to an internal support environment, not the company’s core certificate infrastructure. And that distinction matters.
Because this wasn’t a failure of cryptography, it was a failure of process. From there, the attackers moved carefully. They operated within the customer support systems, leveraging a legitimate feature that allows staff to view accounts from a user’s perspective. It’s a tool designed for troubleshooting, but in this case, it exposed something sensitive: initialization codes tied to certificate requests that had already been approved but not yet issued.
They didn’t need private keys. They didn’t need to crack anything. They just used what was already trusted. By combining those initialization codes with existing approved orders, the attackers were able to generate valid Extended Validation (EV) code-signing certificates, bypassing the usual identity verification steps. And that’s where the nature of the attack shifts.
Because once malware is signed with a legitimate certificate, it doesn’t look malicious anymore. It looks verified. Trusted by operating systems, more likely to bypass security tools, and far less likely to raise suspicion.
Some of those certificates were used to sign the Zhong Stealer malware, a strain associated with data theft and cryptocurrency-focused campaigns. The result wasn’t just access, it was amplification. The malware carried the appearance of legitimacy.
Importantly, there’s no indication that DigiCert’s root certificate systems or core infrastructure were compromised. The breach remained confined to the support and process layer. But even within that boundary, the impact was significant, because trust doesn’t always break at the core. Sometimes, it’s borrowed from the edges.
The attackers didn’t break encryption. They bypassed the system around it.
DigiCert responded quickly. The company revoked 60 code-signing certificates, including 27 directly linked to attacker activity, canceled pending certificate requests, and secured affected accounts. The response unfolded within hours of detection. But the attackers had already spent time inside, days in some systems, even longer in one environment due to misconfigured controls.
And that’s where the story becomes harder to ignore. This wasn’t just a breach. It was a trust chain issue.
By abusing the certificate issuance process, attackers effectively inserted themselves into the software trust ecosystem, using legitimate credentials to make malicious code appear safe, not by forcing their way in, but by stepping into a workflow that was never designed to be hostile.
Because in today’s threat landscape, attackers don’t always need to break trust. Sometimes, they just need to borrow it.And for a brief window, that was enough.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
