DIGICERT revoked certificates after its internal support portal was compromised in a cyberattack, with malware delivered via a customer chat channel that infected an analyst’s system. The attack occurred on 2 April 2026, and the malware was first identified on 3 April 2026, with a second infection detected on 14 April 2026. According to DigiCert, the hackers used a limited access function to obtain EV Code Signing certificates by exploiting authenticated support analysts who can proxy into customer accounts.
By 17 April 2026, the company identified and revoked 60 certificates connected to the incident, including 27 explicitly linked to the threat actor, of which 11 were used to sign the Zhong Stealer malware family. DigiCert says that all certificates potentially linked to this activity were revoked, with pending orders cancelled to close the attackers’ access, and the firm has since tightened security controls, including multi-factor authentication for administrative workflows.