DigiCert Breached Through Customer Chat — 60 Code Signing Certificates Revoked, Industry at Risk

Published: May 8, 2026

Source: CYFORi Research — Analysis of the DigiCert support channel compromise, code signing certificate theft, and Zhong Stealer malware distribution.

Key References: DigiCert breach disclosure, CERT advisories, Zhong Stealer malware research.

The Attack — A Breach of the Digital Trust Ecosystem

The digital trust ecosystem just took another serious hit. DigiCert — the global certificate authority that millions of businesses and developers rely on for code signing — was breached through one of the most creative attack vectors we've seen.

Here's how it unfolded:

1. A threat actor contacted DigiCert's support team through a customer chat channel
2. The attacker sent what appeared to be a customer screenshot — but it was actually a ZIP file containing a malicious Windows screensaver — a .scr file
3. The screensaver executed, compromised two support systems
4. The attacker was able to generate legitimate EV Code Signing certificates
5. DigiCert revoked 60 certificates, including 27 tied to the attacker
6. Those certificates were already being used to sign Zhong Stealer malware

Why this matters to a SMB in Canyon Lake or Corpus Christi: Code signing certificates are how software proves it's legitimate. When you download a program and Windows says "Verified Publisher" — that's a code signing certificate. If DigiCert's infrastructure is compromised, the trust model itself is damaged.

What Code Signing Certificates Actually Do

Every time you install software on your business computer, Windows shows you the publisher name. That's not an assumption — it's a cryptographically verified code signing certificate. Malware signed with a stolen legitimate certificate bypasses every security tool that trusts the publisher chain.

Zhong Stealer was one of the payloads signed with stolen DigiCert certificates. It targets:

• Cryptocurrency wallets
• Browser credentials and session cookies
• Financial application data

And it has been linked to Chinese cybercrime operations — meaning this isn't a random exploit. It's a targeted, resourceful adversary with specific goals.

What Texas SMBs Should Do

Immediate

1. Verify your software publishers — If a program you're installing suddenly shows an unknown or unexpected publisher, stop. Check the hash.
2. If you develop any software — even internal tools — your code signing certificates are now in the threat landscape. Monitor them actively and revoke any that seem unusual
3. Review endpoint logs — Look for any newly installed software with code signing certificates you don't recognize

This Week

1. Audit all software installation policies — Can users install anything without approval?
2. Verify DigiCert certificate chain trust — Are you still trusting DigiCert intermediaries? Consider diversifying your CA trust anchors if you're a high-value target
3. Update your incident response plan — A compromised code signing chain is a different type of incident. Know the playbook before you need it

The Bigger Picture

The DigiCert breach is a reminder that trust is the infrastructure of cybersecurity. When the entities that verify trust get compromised, everything built on that trust is at risk. For SMBs, the practical takeaway is simple: question unexpected publishers, verify software before installing, and never assume a "verified" badge is enough.