DigiCert Revokes Certificates After Support Portal Hack
In April 2026, DigiCert experienced a cyberattack where hackers delivered malware via a customer chat channel, infecting support analysts' systems and gaining access to the internal support portal. The attackers exploited a limited access function used by authenticated support analysts to proxy into customer accounts, allowing them to obtain Extended Validation (EV) Code Signing certificates fraudulently. DigiCert identified and revoked 60 certificates linked to the incident, including those used to sign malware. The company enhanced security controls by enforcing multi-factor authentication, restricting access to initialization codes, limiting file types in support channels, and improving logging. No evidence was found of misuse beyond the code signing initialization codes. The incident highlights risks associated with internal support tools and the importance of securing privileged access.
AI Analysis
Technical Summary
Hackers targeted DigiCert's support team by delivering malware disguised as a screenshot through a customer chat channel, infecting two analyst endpoints. From the infected systems, attackers accessed DigiCert's internal support portal, leveraging a feature that allows support analysts to proxy into customer accounts. This access enabled them to obtain initialization codes and approved orders necessary to fraudulently issue EV Code Signing certificates across multiple customer accounts and certificate authorities. DigiCert discovered and revoked 60 certificates by mid-April 2026, including 27 linked to the threat actor, some of which were used to sign the Zhong Stealer malware family. The company responded by canceling pending orders, revoking certificates, and implementing stronger security measures such as multi-factor authentication for administrative workflows and restrictions on file types in support channels. The investigation found no evidence of other internal system misuse beyond the code signing initialization codes.
Potential Impact
The attackers were able to fraudulently obtain EV Code Signing certificates, which could undermine trust in software signed with these certificates. Eleven of the revoked certificates were used to sign malware (Zhong Stealer), indicating active abuse. The incident compromised the integrity of DigiCert's certificate issuance process for a limited set of customer accounts. However, DigiCert's prompt revocation of certificates and cancellation of pending orders mitigated further misuse. No evidence was found of broader internal system compromise beyond the code signing initialization codes.
Mitigation Recommendations
DigiCert has revoked all certificates potentially linked to the incident and canceled pending certificate orders to prevent further abuse. The company has implemented multi-factor authentication for administrative workflows, restricted access to initialization codes from proxied support users, limited allowable file types in support chat and case attachments, and enhanced logging capabilities. Organizations relying on DigiCert certificates should verify certificate validity and update any software signed with revoked certificates. Patch status is not applicable as this is an incident response to a compromise rather than a software vulnerability.
DigiCert Revokes Certificates After Support Portal Hack
Description
In April 2026, DigiCert experienced a cyberattack where hackers delivered malware via a customer chat channel, infecting support analysts' systems and gaining access to the internal support portal. The attackers exploited a limited access function used by authenticated support analysts to proxy into customer accounts, allowing them to obtain Extended Validation (EV) Code Signing certificates fraudulently. DigiCert identified and revoked 60 certificates linked to the incident, including those used to sign malware. The company enhanced security controls by enforcing multi-factor authentication, restricting access to initialization codes, limiting file types in support channels, and improving logging. No evidence was found of misuse beyond the code signing initialization codes. The incident highlights risks associated with internal support tools and the importance of securing privileged access.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Hackers targeted DigiCert's support team by delivering malware disguised as a screenshot through a customer chat channel, infecting two analyst endpoints. From the infected systems, attackers accessed DigiCert's internal support portal, leveraging a feature that allows support analysts to proxy into customer accounts. This access enabled them to obtain initialization codes and approved orders necessary to fraudulently issue EV Code Signing certificates across multiple customer accounts and certificate authorities. DigiCert discovered and revoked 60 certificates by mid-April 2026, including 27 linked to the threat actor, some of which were used to sign the Zhong Stealer malware family. The company responded by canceling pending orders, revoking certificates, and implementing stronger security measures such as multi-factor authentication for administrative workflows and restrictions on file types in support channels. The investigation found no evidence of other internal system misuse beyond the code signing initialization codes.
Potential Impact
The attackers were able to fraudulently obtain EV Code Signing certificates, which could undermine trust in software signed with these certificates. Eleven of the revoked certificates were used to sign malware (Zhong Stealer), indicating active abuse. The incident compromised the integrity of DigiCert's certificate issuance process for a limited set of customer accounts. However, DigiCert's prompt revocation of certificates and cancellation of pending orders mitigated further misuse. No evidence was found of broader internal system compromise beyond the code signing initialization codes.
Mitigation Recommendations
DigiCert has revoked all certificates potentially linked to the incident and canceled pending certificate orders to prevent further abuse. The company has implemented multi-factor authentication for administrative workflows, restricted access to initialization codes from proxied support users, limited allowable file types in support chat and case attachments, and enhanced logging capabilities. Organizations relying on DigiCert certificates should verify certificate validity and update any software signed with revoked certificates. Patch status is not applicable as this is an incident response to a compromise rather than a software vulnerability.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/digicert-revokes-certificates-after-support-portal-hack/","fetched":true,"fetchedAt":"2026-05-04T12:51:22.432Z","wordCount":1006}
Threat ID: 69f8964acbff5d86101bc2ac
Added to database: 5/4/2026, 12:51:22 PM
Last enriched: 5/4/2026, 12:51:29 PM
Last updated: 5/4/2026, 3:58:12 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.