DigiCert Breach: Hackers Forged Code-Signing Certificates via Support Portal
DigiCert, one of the world's largest certificate authorities, disclosed that hackers obtained fraudulent EV code-signing certificates through its internal support portal in a social engineering attack discovered in April 2026.
The attack began April 2 when a threat actor delivered malware via DigiCert's customer chat channel disguised as a screenshot. The malware infected two endpoints. The attackers pivoted to the internal support portal, exploiting proxy access to obtain initialization codes for pending code-signing certificate orders.
By April 17, DigiCert identified and revoked 60 certificates, including 27 linked to the threat actor. Of these, 11 were used to sign the Zhong Stealer malware family. The company found no evidence of misuse beyond code-signing initialization codes.
DigiCert has enforced multi-factor authentication for administrative workflows, prevented access to initialization codes from proxied users, restricted file types in support chat, and improved logging.
The breach is particularly concerning because code-signing certificates verify software authenticity. When attackers obtain legitimate certificates, they can sign malware that passes OS security checks, making detection significantly harder.
When a certificate authority itself is compromised, the entire trust chain is questioned. This breach shows social engineering remains the most reliable attack vector, even against security companies.
What certificates were affected?
60 EV code-signing certificates were revoked, 27 linked to the attacker. 11 were used to sign Zhong Stealer malware.
How did the attackers get in?
Malware disguised as a screenshot via support chat, infecting an analyst's machine, then using proxy access to obtain certificate initialization codes.