The Support Chat Trap: How a “Customer Screenshot” Led to a Critical Code-Signing Breach at DigiCert

A seemingly innocuous file transmitted via a support chat escalated into a significant crisis for DigiCert. An adversary masquerading as a client presented a malicious archive as a “customer screenshot,” successfully infiltrating systems utilized for the issuance of digital certificates.

The incursion, detailed in an official DigiCert report, commenced on April 2, 2026. An unidentified actor initiated contact with a support representative through the chat interface, repeatedly dispatching a ZIP archive containing an executable payload. While defensive protocols thwarted four initial attempts, a fifth proved successful, leading to the compromise of a solitary workstation.

Although the anomaly was detected and the system isolated within twenty-four hours—prompting an initial belief that the threat had been neutralized—subsequent forensics revealed that the assailant had established persistence on a secondary machine. On this particular device, security measures had faltered, failing to register the intrusion.

Leveraging access to the internal support portal, the attacker exploited a diagnostic utility designed to allow personnel to ingress into client accounts for configuration assistance. While this function lacked the authority to manage accounts or initiate orders, it inadvertently exposed sensitive initialization codes for code-signing certificates.

These codes, when paired with pre-approved orders, facilitate the procurement of finalized certificates. The interloper capitalized on this oversight, issuing several certificates under the guise of legitimate clients. A subset of these was subsequently utilized to sign malware belonging to the Zhong Stealer family.

In total, DigiCert revoked sixty certificates. Twenty-seven were directly attributed to the adversary’s maneuvers, while the remainder were annulled as a precautionary measure. All affected certificates were invalidated within twenty-four hours of discovery, with the revocation backdated to the moment of issuance.

The crisis originated not within the certificate issuance infrastructure itself, but rather through a confluence of systemic vulnerabilities: a lapse in endpoint protection on a critical workstation, unrestricted internal access to sensitive telemetry on the support portal, and the failure to categorize initialization codes as high-level credentials.

Furthermore, it was discovered that the support channel permitted file transfers without rigorous filtering, effectively serving as a convenient ingress point for the assault. In response, DigiCert has implemented sweeping reforms: access to initialization codes has been rescinded, multi-factor authentication requirements have been fortified, and file transmission via chat has been curtailed. The firm is also auditing its security configurations to eliminate the “blind spots” that allowed the secondary infection to remain undetected.

DigiCert maintains that the assailant failed to penetrate other systems or subvert client validation processes. Nevertheless, this incident underscores how ancillary internal utilities can transform into critical failure points if they provide a pathway to the sanctity of digital certificate issuance.