Bypass Record

Code-Signing Abuse × DigiCert EV Code Signing Certificates

A publicly-reported instance of Code-Signing Abuse bypassing DigiCert EV Code Signing Certificates, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

DigiCert EV Code Signing Certificates

Technique

Code-Signing Abuse

MITRE ATT&CK

T1553.002

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2026-05-04

Config / version noted

Not stated

Provenance

cyberinsider.com
disclosed 2026-05-04 · original source · via exa
cybersecuritynews.com
disclosed 2026-05-04 · original source · via exa
hackersradar.com
disclosed 2026-05-04 · original source · via exa

Reported as

Attackers compromised DigiCert's internal support systems... fraudulently obtained valid certificates and used them to sign Zhong Stealer malware.

Mechanism

Threat actor impersonated a customer, sent a malicious ZIP containing a .scr file to support chat. A support employee executed it, compromising a workstation. Due to missing EDR on a second endpoint, attackers maintained access for two weeks, harvesting initialization codes from the support portal's proxy view to generate valid EV code-signing certificates.

Detection & mitigation

Monitor code-signing certificate issuance logs for anomalies such as unusual certificate requests, rapid successive approvals, or certificates issued outside normal business processes. Implement strict access controls and multi-factor authentication for certificate issuance systems, and deploy EDR on all endpoints to detect and block malicious scripts or executables used in initial compromise.

Code-Signing Abuse has also been recorded against

Apple Kaseya Microsoft

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.