Advertising Disclosure: Some links on this site are affiliate links. We may earn a commission when you make a purchase — at no extra cost to you. read our methodology

DigiCert Breach: EV Code-Signing Certificates Abused to Sign Zhong Stealer Malware

A certificate authority compromise shows why a valid signature is not the same as a trustworthy download. Here is the practical guidance for consumers and small software teams.

By

Published · Updated

Hot radar note: DigiCert disclosed a support-system breach in which attackers abused stolen certificate issuance data to obtain valid EV code-signing certificates. Some of those certificates were subsequently used to sign malware linked to the Zhong Stealer family. This is a trust-chain event, and it affects how regular users should think about "signed" software downloads.

What happened

DigiCert is one of the largest public certificate authorities in the world. According to the disclosure, attackers compromised internal support systems and abused stolen issuance data to obtain valid EV (Extended Validation) code-signing certificates. Extended Validation is the higher-trust tier that normally requires stricter identity verification before a software vendor can sign binaries.

Researchers tied at least some of the misused certificates to malware in the Zhong Stealer family, an infostealer known for harvesting saved browser credentials, session cookies, authentication tokens, and cryptocurrency wallet data. A signed installer looks far more legitimate to Windows SmartScreen and to many antivirus heuristics, which is exactly what makes abuse of a trusted authority so valuable to attackers.

Why a valid signature does not mean safe

Code signing is designed to answer one question: is this binary the one the vendor built, unchanged? It is not designed to answer a bigger question: is this vendor honest, and is this download the one I meant to click? When a certificate authority gets compromised, attackers can satisfy the first question with a stolen certificate while failing the second.

Practical implications:

  • Do not rely on a blue "verified publisher" label alone to judge safety.
  • Install software from the vendor's primary domain, not from search ads, random download portals, or forum links.
  • Keep endpoint antivirus enabled with behavior-based protection, not only signature lookups.
  • Treat unexpected update prompts and one-off "installer required to view this" pages as high risk.

Why this matters for everyday users

Zhong Stealer and similar infostealers do not encrypt files the way ransomware does. They quietly collect. Within minutes of running, a single signed installer can exfiltrate saved passwords for dozens of sites, online banking sessions, email tokens, and crypto wallet keys. Those credentials often show up in criminal marketplaces within hours and are used to take over accounts, drain wallets, and launch phishing from real inboxes.

The defenses are familiar but need to be in place before an incident, not after:

  • Use a password manager so a stolen browser vault does not give attackers your master list.
  • Enable multi-factor authentication on email, banking, and social accounts.
  • Run a reputable antivirus with behavior-based protection and web filtering.
  • Consider identity monitoring if financial, tax, or wallet data is part of your exposure.

Guidance for small software teams

If you use DigiCert or any other public CA for code signing, incidents like this are a reminder that certificate material and the accounts around it must be treated like production keys:

  • Store signing keys in HSMs or cloud KMS with strict access policies, not on developer laptops.
  • Require MFA on every account with certificate-portal access.
  • Audit recent issuance requests and anomalous support interactions.
  • Keep a revocation and timestamping plan documented so you can react fast if abuse is confirmed.

Windows users can also verify signature timestamps and revocation status when investigating a suspicious binary, though this is rarely practical for end users in the moment.

How layered defenses help

When the signature layer is under pressure, the layers around it carry more weight. Modern antivirus suites evaluate process behavior, not just file signatures, which is what catches infostealers that exfiltrate data even with a valid certificate. Password managers make it realistic to rotate credentials after an infostealer incident because you are not trying to remember which of 120 accounts shared the same password. Identity monitoring watches for leaked emails, SSNs, and payment data landing on criminal marketplaces.

Best tools to reduce your risk

Bitdefender Total Security 4.8/5

Best for: behavior-based malware and infostealer protection · Price: From about $39.99/year promo pricing

Pros
  • Behavior-based detection catches signed malware that bypasses signature-only tools
  • Web attack and phishing protection
  • Light performance footprint
Cons
  • VPN allowance is limited on lower plans
  • Renewal pricing can rise after the first year

Read our guide

Norton 360 Deluxe 4.7/5

Best for: families that want antivirus plus identity features · Price: From about $49.99/year promo pricing

Pros
  • Real-time malware protection plus cloud backup
  • Dark web monitoring in many plans
  • SafeCam and safe-browsing layers
Cons
  • Upsells can feel busy
  • Full identity protection costs more

Read our guide

Malwarebytes Premium 4.5/5

Best for: second-opinion infostealer cleanup · Price: From about $44.99/year

Pros
  • Strong remediation reputation for stealers and PUPs
  • Simple interface for non-technical users
  • Browser Guard helps block malicious sites
Cons
  • Fewer extras than full security suites
  • Advanced family identity features are limited

Read our guide

1Password 4.8/5

Best for: unique passwords and faster post-infection rotation · Price: From $2.99/month billed annually

Pros
  • Strong vault security and Watchtower alerts
  • Excellent passkey and family sharing support
  • Travel Mode helps reduce border-device risk
Cons
  • No permanent free tier
  • Some advanced controls require business plans

Read our guide

Aura 4.6/5

Best for: identity and financial monitoring after stealer exposure · Price: From about $12/month billed annually

Pros
  • Dark web, credit, and SSN monitoring
  • Identity restoration support
  • Bundles VPN and antivirus features
Cons
  • More expensive than standalone antivirus
  • Credit lock coverage varies by bureau and plan

Read our guide

Comparison table

ProductRatingBest forPriceKey strengths
Bitdefender Total Security4.8/5behavior-based malware protectionFrom about $39.99/year promo pricingCatches signed malware via behavior analysis, phishing protection
Norton 360 Deluxe4.7/5families that want antivirus plus identity featuresFrom about $49.99/year promo pricingReal-time malware protection plus cloud backup, dark web monitoring
Malwarebytes Premium4.5/5second-opinion infostealer cleanupFrom about $44.99/yearStrong remediation reputation, Browser Guard
1Password4.8/5unique passwords and passkey adoptionFrom $2.99/month billed annuallyWatchtower alerts, passkey and family sharing support
Aura4.6/5identity monitoring after breach exposureFrom about $12/month billed annuallyDark web, credit, SSN monitoring, identity restoration

Frequently asked questions

What happened at DigiCert?

DigiCert disclosed a security incident in which attackers compromised internal support systems and abused stolen certificate issuance data to obtain valid EV code-signing certificates. Some were later used to sign malware tied to the Zhong Stealer family.

Is a signed installer automatically safe?

No. A valid signature proves the code was issued a certificate, not that the code is benign. Incidents like this show attackers can obtain valid signatures, which is why behavior-based antivirus and phishing awareness still matter.

What is Zhong Stealer?

Zhong Stealer is an infostealer malware family that harvests saved browser credentials, cookies, tokens, and cryptocurrency wallet data. Distribution via signed installers makes detection harder because the binary looks legitimate.

Do I need to revoke my own DigiCert certificate?

Individual users do not hold EV code-signing certificates. If you run a software company using DigiCert, follow their guidance directly, audit recent issuance requests, and rotate credentials for any account that touched the certificate portal.

How do I protect myself as a consumer?

Install software only from verified vendor pages, keep a modern antivirus running, use a password manager so one leaked password does not cascade, and enable MFA. Identity monitoring helps if your credentials or wallet data is ever stolen by an infostealer.

Bottom line

When a major certificate authority is breached, the whole "signed equals safe" shortcut gets weaker. The durable defenses are familiar: install only from vendor pages, run behavior-based antivirus, use a password manager and MFA, and add identity monitoring if you handle financial, tax, or wallet data. A valid signature is evidence, not a guarantee.