Vulnerabilities

Microsoft Defender Flags DigiCert Certs as Malware

May 5, 2026 00:11 · 12 min read
Microsoft Defender Flags DigiCert Certs as Malware

Microsoft Defender Flags DigiCert Certs as Malware

Microsoft Defender is detecting legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts, and in some cases, removing certificates from Windows. According to cybersecurity expert Florian Roth, the issue first appeared after Microsoft added the detections to a Defender signature update on April 30th.

Today, administrators worldwide began reporting that DigiCert root certificate entries were flagged as malware and, on affected systems, removed from the Windows trust store. The detected certificates are: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 and DDFB16CD4931C973A2037D3FC83A4D7D775D05E4.

Affected Systems and False Positives

On impacted systems, these certificates were removed from the AuthRoot store under the Registry key: HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\. These false positives have led to concern among Windows users, with some thinking their devices were infected and reinstalling the operating system to be safe.

Microsoft has reportedly fixed the detections in Security Intelligence update version 1.449.430.0, and the most recent update is now 1.449.431.0. Other reports on Reddit indicate that the fix also restores previously removed certificates on affected systems.

Recent DigiCert Breach

The false positives occur shortly after a disclosed DigiCert security incident that enabled threat actors to obtain valid code-signing certificates used to sign malware. A malware incident targeted a customer support team member, and upon detection, the threat vector was contained.

DigiCert's incident report explains that the threat actor was able to procure initialization codes for a limited number of code signing certificates, few of which were then used to sign malware. The identified certificates were revoked within 24 hours of discovery, and the revocation date was set to their date of issuance.

Attackers' Tactics

Attackers targeted the company's support staff in early April by creating support messages containing a malicious ZIP file disguised as a screenshot. After multiple blocked attempts, one support analyst's device was eventually compromised, followed by a second system that went undetected for a time due to an endpoint protection sensor gap.

Using access to the breached support environment, the hacker used a feature in DigiCert's internal support portal that allowed support staff to view customer accounts from the customer's perspective. While limited in scope, this access exposed initialization codes to previously approved, but undelivered, EV code-signing certificate orders.

Revoked Certificates and Malware Campaign

DigiCert says it revoked 60 code-signing certificates, including 27 linked to a Zhong Stealer malware campaign. Researchers, including Squiblydoo, MalwareHunterTeam, and g0njxa, reported that certificates issued to well-known companies such as Lenovo, Kingston, Shuttle Inc, and Palit Microsystems were being used to sign malware.

The malware in this campaign is named Zhong Stealer, though analysis indicates it may be more like a remote access trojan (RAT) than an infostealer. The researcher says the malware was distributed through phishing emails, a first-stage executable that displays a decoy image, retrieval of a second-stage payload from cloud storage, and use of signed binaries and loaders, including components tied to legitimate vendors.

After DigiCert disclosed the incident, the researchers said the incident report explains how the certificates used in these malware campaigns were obtained. It should be noted that the certificates flagged by Microsoft Defender are root certificates in the Windows trust store and do not match the revoked DigiCert code-signing certificates used to sign malware.

Microsoft confirmed that the false positives were linked to detections for compromised certificates from a recent DigiCert breach. Following reports of compromised certificates, Microsoft Defender immediately added detections for malware in our Defender Antivirus Software to help keep customers protected.

Earlier today, we determined false positive alerts were mistakenly triggered and updated the alert logic, Microsoft told BleepingComputer. Microsoft Defender suppressed and cleaned up the alerts for customer environments. Customers should update to Security Intelligence version 1.449.430.0 or later, but do not need to take additional action for these alerts.

Source: BleepingComputer

Source: BleepingComputer

Powered by ZeroBot

Protect your website from bots, scrapers, and automated threats.

Try ZeroBot Free

Related Articles

🐛 Vulnerabilities

CISA Expands Vulnerability Reporting

CISA has created a new pathway for researchers to report vulnerabilities to its Known Exploited Vulnerabilities catalog, enhancing its ability to identify and share critical threat information.

May 22, 2026 04:01 · The Record 12 min read
🐛 Vulnerabilities

Open-Source Vulnerabilities Concern CISA Chief

CISA acting director Nick Andersen warns of the risks posed by open-source vulnerabilities and the need for urgent security improvements to prevent widespread attacks.

May 22, 2026 00:07 · CyberScoop 10 min read
🐛 Vulnerabilities

Chromium Flaw Exposes Browsers to Remote Code Execution

Google accidentally leaked details of an unfixed Chromium flaw that allows remote code execution on devices, impacting all Chromium-based browsers.

May 22, 2026 00:06 · BleepingComputer 12 min read