A Trusted Support Workflow Turned Into an Attack Path

A major cybersecurity incident involving DigiCert has raised concerns about how trusted support systems can be abused when attackers target the right workflow. According to DigiCert’s own statement, this was not a compromise of the company’s broader PKI infrastructure. Instead, attackers abused a support-channel intrusion to obtain initialization codes for pending code-signing orders, which were then used to obtain EV Code Signing certificates later tied to malware abuse. DigiCert revoked 60 certificates in response, including certificates linked to attacker activity.

The incident reportedly began when attackers delivered a malicious file through a customer chat channel disguised as a screenshot. After repeated blocked attempts, a support analyst’s device was compromised, and a second system remained undetected for a period of time because of endpoint protection gaps. DigiCert said the attackers then used limited support functionality to access initialization codes for approved but undelivered certificate orders.

The Original Incident and Why It Matters

DigiCert’s report indicates that the attackers did not break into the company’s root PKI systems. Instead, they abused a support workflow that allowed authenticated analysts to proxy into customer accounts and view specific functions, including initialization codes tied to pending code-signing orders. DigiCert later said it found no evidence that the threat actor misused other internal systems beyond those initialization codes.

The company revoked 60 code-signing certificates by April 17, including 27 that were directly tied to the attacker’s activity. Of those, 11 were identified through community problem reports and 16 were found during DigiCert’s own investigation. The remaining certificates were revoked as a precaution where customer control could not be confirmed, and pending orders were cancelled to prevent further abuse.

Some of the abused certificates were reported to have been used to sign Zhong Stealer malware. That attribution should be handled carefully and framed as reported misuse tied to observed campaign activity rather than overstated as a broader compromise of DigiCert’s PKI.

What Undercode Say:

Collapse of Digital Trust Through Certificate Abuse

The DigiCert incident highlights a dangerous evolution in cyberattacks where trusted support mechanisms become attack vectors. Code-signing certificates are designed to validate legitimate software, yet when attackers obtain them through abuse of support workflows, malicious code can appear more credible to users and security tools. The risk is not only malware distribution, but also the erosion of trust in systems meant to authenticate software at scale.

The Support Portal as a Weak Entry Point

This case shows how human-facing systems with privileged backend access can become the easiest path in for attackers. Rather than attacking hardened core infrastructure, the threat actor targeted support staff and used a disguised file to gain an initial foothold. That foothold then led to access inside a limited support workflow, showing how operational convenience can create security blind spots if controls are not tightly segmented.

Zhong Stealer and the Economics of Misused Certificates

The reported link to Zhong Stealer shows why code-signing abuse is so valuable to attackers. Signed binaries are more likely to look legitimate, which can improve delivery success and reduce initial suspicion. In this case, community reporting played an important role in surfacing the abuse, helping DigiCert identify and revoke additional certificates that had been misused in the wild.

Containment and Response

DigiCert’s response was fast by industry standards: revocations were completed quickly, pending orders were cancelled, and the company tightened controls around support workflows. Reported improvements included stronger multi-factor authentication for administrative workflows, restrictions on initialization-code access from proxied support users, tighter file-type controls in support channels, and improved logging.

🔍 Fact Checker Results

Support-Portal Compromise Confirmed, Not a PKI Breach

The reporting supports a support-channel compromise that led to unauthorized certificate issuance. It does not support framing the event as a compromise of DigiCert’s broader PKI infrastructure. That distinction should be made clearly in any final publication.

Revocation Count Confirmed

DigiCert revoked 60 code-signing certificates, including 27 linked to attacker activity. The company also said 11 of those were identified through community problem reports and 16 through its own investigation.

Malware Attribution Should Be Kept Careful

The certificates were reported as being used to sign Zhong Stealer malware. That is a meaningful claim, but it should be presented as reported misuse tied to observed campaign activity rather than as proof of a wider DigiCert system breach.

Unrelated Ransomware Claims Removed

Any unrelated ransomware or financial-sector intrusion claims should be removed unless they are independently sourced and clearly connected to the story. They do not belong in this article’s main narrative and weaken the credibility of the report.

📊 Prediction

The DigiCert incident suggests that future attacks will increasingly focus on trusted support workflows, identity paths, and certificate issuance processes rather than only direct attacks on core infrastructure. Organizations should expect more abuse of help desks, ticketing systems, customer support channels, and internal proxy tools, especially where those systems can influence trust assets.

Certificate abuse will likely remain a high-value tactic for threat actors because it helps malicious software blend in with legitimate activity. In response, security teams will need stronger segmentation, tighter approval controls, better monitoring, and rapid revocation procedures whenever trust infrastructure is indirectly exposed.

The bigger lesson is simple: even when the root PKI remains intact, abuse of a single support workflow can still create serious downstream risk. In modern cybersecurity, trust chains are just as important to defend as the systems that sit behind them.