Microsoft Defender Misflags DigiCert Certificates as Malware, Causing Widespread Alerts

Severity: High (Score: 60.6)

Sources: Bleepingcomputer, Cybersecuritynews, www.microsoft.com, bugzilla.mozilla.org, Neowin

Summary

Microsoft Defender has erroneously flagged legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha due to a faulty signature update released on April 30, 2026. This has led to widespread false-positive alerts, with many users believing their systems were infected and some even reinstalling their operating systems. The issue arose after a security incident at DigiCert, where a threat actor gained access to internal support systems and obtained initialization codes for a limited number of code-signing certificates. DigiCert has since revoked 60 certificates linked to the incident, which were used to sign malware. Microsoft has issued a fix in Security Intelligence update version 1.449.431.0, which restores the previously removed certificates. Users are advised to manually check for updates to ensure their systems are secure. The incident highlights the critical role of code-signing certificates in maintaining trust in software. Key Points: • Microsoft Defender's false positives stem from a faulty update, affecting DigiCert certificates. • A security incident at DigiCert allowed a threat actor to misuse code-signing certificates. • Microsoft has released a fix to restore affected certificates and mitigate the issue.

Key Entities

• Apt-q-27 (apt_group)
• GoldenEyeDog (apt_group)
• Malware (attack_type)
• DigiCert (company)
• Cerdigent (malware)
• Trojan:Win32/Cerdigent.A!dha (malware)
• Zhong Stealer (malware)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• Windows (platform)