DigiCert support portal compromise — Salesforce-based support-chat social engineering yielded 60 fraudulent EV code-signing certificates
From CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026) · published 2026-05-11 · view item permalink →
DigiCert confirmed on 2026-05-04 that a targeted social-engineering attack on its Salesforce-based customer-support portal in early April 2026 resulted in the fraudulent generation of 60 Extended Validation code-signing certificates. Two analyst endpoints were infected via a malicious Windows screensaver (.scr) repeatedly submitted via support chat; the second analyst's endpoint went undetected for approximately twelve days due to absent or degraded EDR coverage. The attacker used portal access to obtain certificate initialization codes and generated 60 EV certificates across multiple customer accounts; DigiCert confirmed 27 were directly attacker-linked; a community member subsequently identified 11 used to sign the Zhong Stealer malware family (Chinese e-crime, cryptocurrency-asset targeting). All 60 certificates revoked; MFA now mandatory on portal access; file upload functionality restricted (Help Net Security, 2026-05-04 · SecurityWeek, 2026-05-04 · daily 2026-05-06). Defender takeaway: software signed with DigiCert-backed EV certificates during early April through 2026-05-04 warrants validation against the revoked certificate list; the recurring root cause across this and the third-party-analytics incidents in § 2 is that support-tier and analyst-tier endpoints frequently receive lower EDR-coverage bar than production endpoints despite holding equivalent or higher operational privilege.