Microsoft’s Defender antivirus flagged legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha following a signature update pushed April 30, pulling trusted certificates from the Windows AuthRoot store on affected machines worldwide.

The two flagged certificates, with fingerprints 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 and DDFB16CD4931C973A2037D3FC83A4D7D775D05E4, were removed from the registry key governing Windows trust decisions. Administrators reported the removals on social media; some users, convinced their machines were infected, reinstalled their operating systems entirely.

The timing aligns with an actual DigiCert breach. In early April, a Chinese crime group identified by researchers as GoldenEyeDog (tracked as APT-Q-27) targeted DigiCert’s customer support staff with fake support-portal messages carrying a malicious ZIP file. After one analyst’s device was compromised and a second went undetected due to an endpoint protection “sensor gap,” the attackers accessed DigiCert’s internal support portal and obtained “initialization codes” for previously approved, undelivered EV code-signing certificate orders. Possessing both an initialization code and an approved order is enough to generate the resulting certificate, DigiCert explained.

DigiCert revoked 60 code-signing certificates total. 27 were tied to a campaign distributing “Zhong Stealer” malware, signed under certificates nominally issued to Lenovo, Kingston, Shuttle Inc., and Palit Microsystems. Researchers Squiblydoo, MalwareHunterTeam, and g0njxa had flagged those certificates to DigiCert before the incident was publicly disclosed.

Microsoft patched the false-positive detection in Security Intelligence update 1.449.430.0, which also restores previously deleted certificates on affected systems. The company hasn’t confirmed whether the Defender detection was a direct response to the DigiCert breach. BleepingComputer contacted Microsoft for comment before publication.

— James Okafor