DigiCert Breach: Attackers Used Malicious Screensaver File to Obtain EV Code Signing Certificates
Tags Security · Infrastructure · Enterprise
Attackers compromised DigiCert's support channel using a malicious screensaver (.scr) file attachment, obtaining approximately 60 EV code signing certificates that were subsequently used to sign the Zhong Stealer malware. The .scr file, functionally equivalent to an .exe, was delivered through support chat and used to compromise internal systems and obtain session tokens. DigiCert revoked the impacted certificates but stated no evidence of broad malicious issuance was found. The attack exploited trust in the DigiCert brand — a top-tier Certificate Authority — to increase success rates, and customers had to regenerate and redeploy certificates across web properties, APIs, VPNs, and device fleets.
Technical significance
The DigiCert breach highlights a critical supply chain vulnerability in the PKI ecosystem: even top-tier Certificate Authorities are susceptible to social engineering. The use of stolen EV certificates to sign malware means that code signed with these certificates would appear trusted by operating systems and endpoint protection. Organizations should audit all code signed with certificates issued during the compromise window and monitor for the revoked certificate serial numbers.