A sophisticated threat actor breached DigiCert's internal support environment in early April 2026 by tricking support analysts into executing a disguised malicious screensaver file, ultimately walking out with valid Extended Validation (EV) Code Signing certificates later used to distribute the "Zhong Stealer" malware family. DigiCert has confirmed the incident and revoked 60 EV Code Signing certificates issued across four Certificate Authorities.

What Happened

On April 2, 2026, a threat actor opened a Salesforce-based support chat with DigiCert and repeatedly attempted to deliver a malicious ZIP file disguised as a "customer screenshot." CrowdStrike and other endpoint defenses blocked four consecutive delivery attempts before the fifth attempt succeeded, compromising ENDPOINT1, a workstation operated by a support analyst. DigiCert's Trust Operations team detected and isolated that machine by April 3, 2026.

The containment was incomplete. A second machine, ENDPOINT2, was compromised on April 4, 2026 through the same delivery vector, but the breach was not discovered until April 14, 2026. The attacker had ten days of unrestricted access on that endpoint before defenders caught up.

What Was Taken

Using the hijacked analyst sessions, the attacker accessed DigiCert's internal customer support portal and abused a "view-as-customer" feature that lets authenticated support staff see accounts from the customer's perspective. While the function does not permit account management, API-key access, or order submissions, it exposed initialization codes for approved but undelivered EV Code Signing certificate orders across a finite set of customer accounts.

Possession of an initialization code combined with a pre-approved order is enough to obtain and activate a valid certificate. Between April 14 and April 17, 2026, DigiCert revoked 60 EV Code Signing certificates issued from four CAs: DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1, DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1, and Verokey High Assurance Secure Code EV. Of those, 27 were directly linked to the actor (11 via community-submitted certificate problem reports, 16 found during DigiCert's investigation), and 33 were revoked as a precaution where customer control could not be conclusively verified.

Why It Matters

EV Code Signing certificates are among the highest-trust signing credentials in the Windows ecosystem. They confer SmartScreen reputation, bypass many heuristic warnings, and are routinely whitelisted by enterprise allowlisting and EDR products. A threat actor in possession of legitimate, CA-signed EV credentials can ship malware that looks indistinguishable from software produced by a vetted vendor, which is exactly what happened with the Zhong Stealer campaign tied to this breach.

The incident also exposes a structural weakness in CA support workflows: a single mid-tier support analyst's endpoint became the pivot point to credentials that underpin software trust for millions of downstream users. Four blocked deliveries did not produce an investigation that would have hardened the channel against the fifth.

The Attack Technique

The intrusion is a textbook abuse of Windows' treatment of .scr (screensaver) files as native executables. The actor delivered a ZIP archive over a customer-facing Salesforce chat, presented as a screenshot to support a fabricated support case. The archive contained the .scr payload. Endpoint controls blocked four attempts; the fifth landed, likely after minor obfuscation or analyst fatigue.

Once on the analyst's endpoint, the attacker leveraged the active support portal session to access the "view-as-customer" function, scraping initialization codes for already-approved EV Code Signing orders. Those codes were then used through legitimate certificate issuance flows to obtain real, CA-signed certificates, which were promptly applied to Zhong Stealer payloads.

What Organizations Should Do

  1. Block .scr, .cpl, .hta, and similar legacy executable extensions at the email and chat-attachment gateway, and detonate ZIPs delivered through customer support channels in a sandbox before they reach analyst endpoints.
  2. Treat repeated blocked-delivery events from a single counterparty as an active intrusion attempt and trigger account isolation, not just an alert.
  3. Audit any "view-as-customer" or impersonation features in support tooling: log every invocation, alert on bulk access, and require step-up authentication for functions that expose unredeemed credential material.
  4. Rotate or revalidate any EV Code Signing certificate orders that were in an approved-but-undelivered state with DigiCert between March and mid-April 2026, and re-pin internal signing trust where feasible.
  5. Hunt for executables signed by the four affected CAs within the relevant issuance window, particularly Zhong Stealer indicators, and add the revoked serials to local revocation enforcement rather than relying on OCSP soft-fail.
  6. Segment support analyst workstations from any system that holds session tokens for high-trust portals, and enforce short-lived, MFA-gated sessions on CA-side support tooling.

Sources: DigiCert Hacked via Weaponized Screensaver File to Obtain EV Code Signing Certificates