Hackers Trick DigiCert Into Issuing Certificates Used to Sign Malware

On 2 April 2026 attackers used a social-engineering chat interaction to deliver a malicious .scr payload to a DigiCert support agent, infecting support endpoints and exfiltrating initialization codes from an internal portal; the actors then procured and used valid EV Code Signing certificates (later revoked) to sign Zhong Stealer. DigiCert discovered multiple breaches (27 incidents) and revoked 60 certificates, patched portal visibility, blocked .scr file uploads in chat, and noted an EDR gap and Okta FastPass session persistence that aided the actors.