Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha

Microsoft Defender False Positives: DigiCert Root Certificates Flagged as Trojan

OverviewMicrosoft Defender began flagging legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, triggering widespread false-positive alerts. In some cases, the affected certificates were removed from the Windows trust store, causing disruption for systems that rely on DigiCert’s root certificates for SSL/TLS and code verification. The issue surfaced after Defender’s threat signatures were updated at the end of April, prompting confusion and concern among system administrators and end users around the globe.

What Happened

• A Defender signature update on April 30 introduced detections for Trojan:Win32/Cerdigent.A!dha that mistakenly identified certain DigiCert root certificates as malicious.
• Following the update, administrators reported that DigiCert root certificate entries were being flagged as malware, with some installations showing removal from the Windows trust store.
• The false positives were observed in real-world environments as changes propagated through endpoints, leading to uncertainty about device health and certificate trust.

Certificates Involved

• The detections targeted specific root certificates that DigiCert places in the Windows AuthRoot store. Reported examples of the impacted certificate fingerprints include:
• 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
• DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
• On affected machines, these entries were removed from the AuthRoot store under the registry path:HKLMSOFTWAREMicrosoftSystemCertificatesAuthRootCertificates
• The removals and false positives caused concern among users who rely on DigiCert for trust anchors and secure software signing.

Defender Response and Fix

• Microsoft Defender issued a security intelligence update to address the false positives. The fix was rolled out in update version 1.449.430.0, with a subsequent revision to 1.449.431.0.
• Reports from administrators indicated that the update stabilized detection, and remnants of previously removed certificates were restored on systems where the false positives had caused removals.
• Windows users could observe the change through the standard update mechanism:
• Defender updates install automatically
• Manual check: Windows Security > Virus & threat protection > Protection updates > Check for Updates

Context and Possible Link to DigiCert Incident

• The timing of the false positives coincided with a recently disclosed DigiCert security incident, which involved threat actors obtaining initialization codes for a limited set of EV code-signing certificates used to sign malware.
• DigiCert’s incident report described:
• Targeting of a customer support team member, with threat activity contained after detection.
• An attacker obtaining initialization codes for EV code-signing certificates and using them to sign malware.
• Revocation of the identified certificates within 24 hours of discovery; several related certificates were revoked and orders canceled as a precaution.
• DigiCert indicated that initial access occurred via support staff and internal tools that exposed initialization codes tied to approved but undelivered EV certificate orders. They revoked 60 code-signing certificates in connection with the incident.

Zhong Stealer Campaign and Certificate Usage

• Independent researchers noted that EV certificates previously issued to well-known vendors were being observed in malware campaigns, particularly in campaigns attributed to a Chinese threat actor group known as Zhong Stealer (also associated with #GoldenEyeDog or APT-Q-27).
• The malware campaign, nicknamed Zhong Stealer by researchers, has characteristics suggesting a RAT-like capability rather than a simple information stealer. Researchers highlighted signs that attackers used legitimate code-signing certificates to sign and distribute malicious payloads.
• How the campaign operated (as described by researchers):
• Phishing emails delivered a fake image or screenshot
• A first-stage executable displayed a decoy image
• A second-stage payload was retrieved from cloud storage (for example, AWS)
• Attackers used signed binaries and loaders, taking advantage of certificates issued to legitimate vendors

Implications and Takeaways

• The incident underscores the complexity of navigating trust in digital certificates and the potential for misclassification when security tooling misidentifies legitimate artifacts as threats.
• The DigiCert breach provides context for a broader trend in which threat actors exploit trusted certificates to sign malware, complicating detection and trust models for security products and enterprise environments.
• Root certificates in the Windows trust store, while critical for establishing a baseline of trust, present a potential surface for false positives and unintended removals if detection logic misreads legitimate signing activities.
• The rapid response from Microsoft Defender—updates that fix misclassifications and restore trust anchors—illustrates the importance of timely threat intelligence and automated remediation in reducing disruption to users and organizations.

Related Context and Observations

• The Defender false positives appeared across multiple reports and user posts, including discussions on community forums where IT professionals shared observations about certificate removals and remediation timelines.
• The DigiCert incident report provides a window into how threat actors can leverage access to internal processes and initialization codes to obtain EV code-signing certificates. This highlights the risk that even trusted certificate authorities face when internal access controls are compromised.
• While the certificates flagged by Defender in this incident were root certificates in the Windows trust store (not EV code-signing certificates), the broader phenomenon raises questions about how security tools validate certificate chains and how trust stores are protected against inadvertent removals.

ConclusionThe episode of Microsoft Defender false positives targeting DigiCert root certificates is a notable example of the delicate balance between vigilant threat detection and maintaining a stable, trusted software ecosystem. The rapid mitigation through Defender’s security intelligence updates helped restore normal operations and re-establish trust in the Windows certificate store. As supply chain and signing-related threats continue to evolve, ongoing collaboration among certificate authorities, operating system vendors, and security product developers remains essential to minimize disruption while preserving strong security guarantees for end users.