"The identified certificates were revoked within 24 hours of discovery and the revocation date set to their date of issuance," DigiCert wrote in its incident report.
Microsoft Defender's false positives and immediate impact
Microsoft Defender began flagging legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha after a signature update rolled out on April 30, according to cybersecurity expert Florian Roth. Administrators worldwide reported alerts and, on affected systems, removal of the flagged certificates from the Windows trust store. The false positives prompted some users to conclude their devices were infected; several owners reportedly reinstalled Windows to be safe.
Which certificates were flagged and where they were removed
A Reddit post collecting reports of the false positives listed two certificate fingerprints as detected by Defender:
- 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
- DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
On impacted systems, those root certificate entries were removed from the AuthRoot store under the Registry key:
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\
How and when Microsoft addressed the problem
Microsoft reportedly fixed the detections in Security Intelligence update version 1.449.430.0. The most recent update at the time of reporting is 1.449.431.0. Other Reddit reports indicate the fix also restores previously removed certificates on affected systems. The updates will install automatically; users can force an update via Windows Security > Virus and threat protection > Protection updates, then click Check for Updates.
The possible DigiCert connection
The Defender false positives surfaced shortly after DigiCert disclosed a security incident in which threat actors obtained initialization codes for a limited number of code-signing certificates. DigiCert described the intrusion this way: a malware-laden ZIP file disguised as a screenshot targeted a customer support team member, ultimately compromising one support analyst’s device and later a second system that went undetected because of an endpoint protection "sensor gap."
DigiCert said the attacker used a support-portal feature that allowed staff to view customer accounts from the customer’s perspective and thereby exposed initialization codes tied to previously approved, but undelivered, EV code-signing certificate orders. "Possession of an initialization code, combined with an approved order, is sufficient to obtain the resulting certificate," DigiCert explained.
DigiCert reported it revoked 60 code-signing certificates, including 27 that were linked to malware. Security researchers had already observed newly issued DigiCert EV certificates used in malware campaigns before DigiCert publicly disclosed the incident. Researchers named in reporting include Squiblydoo, MalwareHunterTeam, and g0njxa; Squiblydoo posted that EV certificates for companies such as Lenovo, Kingston, Shuttle Inc, and Palit Microsystems were used by a group the researcher labeled "#GoldenEyeDog (#APT-Q-27)." The malware in that campaign has been called "Zhong Stealer," though analysis noted it may behave more like a remote access trojan (RAT) than a simple infostealer.
Microsoft has not confirmed that the Defender detections were caused by the DigiCert incident; the timing and the focus on DigiCert-related certificates suggest a possible connection. It is also notable that the certificates Defender flagged were root certificates in the Windows trust store and do not match the revoked DigiCert code-signing certificates that researchers tied to malware.
What this means for security teams, enterprises, and end users
- Security teams: Expect to validate trust-store contents and confirm whether automatic remediation restored certificates after the Security Intelligence update; review audit logs for removal and restoration events and correlate with the April 30 signature deployment referenced by Florian Roth.
- Enterprises and procurement leaders: Where code-signing and EV certificates are in use, verify revocation lists and certificate inventories—DigiCert reported revoking 60 certificates and cancelling pending orders within the window of interest.
- End users: If you saw Defender alerts for Trojan:Win32/Cerdigent.A!dha, check that Security Intelligence has updated to 1.449.430.0 or later and use Windows Security > Virus and threat protection > Protection updates > Check for Updates to force the fix; several reports indicate the update restores removed root certificates.
The episode highlights two linked realities reported in the record: a supply-chain–adjacent compromise at a certificate authority that allowed attackers to obtain code-signing material, and a defensive detection update that briefly mislabeled trusted root certificates, causing disruptive false positives. Microsoft’s remedial signature updates and DigiCert’s revocations addressed the immediate technical problems; questions remain about how forged or misissued code-signing assets were detected in the wild and whether Defender’s initial signature decision traced back to indicators tied to DigiCert’s incident. For now, administrators should confirm update versions and certificate state on their systems.
