A significant technical malfunction in Microsoft Defender has triggered widespread alarm across the global cybersecurity community, after the platform mistakenly identified legitimate digital certificates issued by DigiCert as malicious software. The error, which surfaced in late April, led to false-positive detections labeled Trojan:Win32/Cerdigent.A!dha and, in some cases, the automatic removal of critical certificates from Windows systems.
False Positives Spark Global Concern
The issue first emerged following a routine security intelligence update rolled out on April 30. Shortly afterward, system administrators and IT professionals across multiple regions began reporting anomalous alerts. These warnings indicated that trusted DigiCert root certificates—essential components of secure internet communication—were being flagged as trojans.
It appears the detections coincided precisely with the Defender signature update. As reports multiplied, it became clear that the problem was not isolated but affecting enterprise environments, managed networks, and individual users alike.
On impacted machines, the flagged certificates were not only detected but also removed from the Windows trust store, specifically within the system registry path:
HKLMSOFTWAREMicrosoftSystemCertificatesAuthRootCertificates
The removal of these certificates can disrupt secure connections, software validation, and encrypted communications—core functions of modern operating systems.
User Reactions and Operational Impact
The sudden appearance of malware alerts tied to trusted certificates caused widespread confusion. In online forums such as Reddit, users shared screenshots of Defender warnings and detailed their attempts to mitigate what they believed to be active infections.
Some individuals and organizations took drastic measures, including full operating system reinstalls, fearing a deeper compromise. For enterprise environments, the issue posed a more serious risk, potentially interrupting secure communications, breaking application trust chains, and complicating compliance requirements.
Two certificate thumbprints were repeatedly cited in user reports:
- 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
- DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
Both were legitimate DigiCert root certificates, not associated with malware.
Microsoft Responds with Emergency Update
Microsoft has since addressed the issue through updated Defender signatures. The corrected definitions were included in Security Intelligence version 1.449.430.0, followed by a newer release, version 1.449.431.0.
These updates not only stop the erroneous detections but, according to user reports, also restore previously removed certificates automatically. Systems configured for automatic updates should already be receiving the fix, while manual updates can be triggered via:
Windows Security → Virus & Threat Protection → Protection Updates → Check for Updates
Despite the resolution, the incident has raised concerns about the reliability of automated threat detection systems and the potential consequences of false positives at scale.
Possible Connection to DigiCert Security Incident
The timing of the Defender malfunction has drawn attention due to its proximity to a recently disclosed security breach at DigiCert. While Microsoft has not officially confirmed any link, there may be a plausible connection.
In its incident report, DigiCert revealed that attackers targeted its internal support systems in early April. The breach began with phishing attempts aimed at customer support staff, involving malicious ZIP files disguised as screenshots. After multiple failed attempts, attackers successfully compromised one support analyst’s workstation and later gained access to another system due to what DigiCert described as an endpoint protection “sensor gap.”
Once inside, the attackers exploited a support portal feature that allowed staff to view customer accounts. This access enabled them to retrieve “initialization codes” tied to pre-approved code-signing certificate requests.
“Possession of an initialization code, combined with an approved order, is sufficient to obtain the resulting certificate.”
Using this method, threat actors obtained a limited number of Extended Validation (EV) code-signing certificates. DigiCert later confirmed that 60 certificates were revoked, including 27 that had already been used to sign malicious software.
Malware Campaigns and Abuse of Trusted Certificates
Even before DigiCert publicly disclosed the breach, security researchers had observed suspicious activity involving newly issued certificates. Analysts such as Squiblydoo, MalwareHunterTeam, and g0njxa reported that certificates associated with major hardware brands—including Lenovo, Kingston, Shuttle Inc., and Palit Microsystems—were being misused.
The campaign has been linked to a threat group identified as “GoldenEyeDog” (APT-Q-27), believed to be operating out of China.
The malware involved, dubbed “Zhong Stealer,” appears to function more like a remote access trojan (RAT) than a traditional information stealer. Its attack chain includes:
- Phishing emails containing fake images or screenshots
- Execution of a first-stage payload displaying decoy content
- Retrieval of additional malware from cloud services such as AWS
- Use of digitally signed binaries to evade detection
The use of valid certificates significantly increases the effectiveness of such campaigns, allowing malicious files to bypass security warnings and appear trustworthy to users and systems.
No Direct Match—But Lingering Questions
Despite the overlap in timing, the certificates flagged by Microsoft Defender differ from those compromised in the DigiCert breach. The Defender issue involved root certificates in the Windows trust store, whereas the breach concerned EV code-signing certificates issued to customers.
This distinction suggests that the false positives may not be a direct response to the breach but could stem from overly aggressive detection logic or heuristic adjustments made in its aftermath.
Still, the coincidence has fueled speculation within the cybersecurity community about whether Microsoft’s detection algorithms were updated in response to the DigiCert incident and inadvertently affected unrelated certificates.
Broader Implications for Cybersecurity
This episode highlights the delicate balance between proactive threat detection and operational stability. While rapid updates are essential to counter emerging threats, errors in signature definitions can have cascading effects—especially when they impact foundational security components like root certificates.
For organizations, the incident underscores the importance of layered security strategies, including monitoring, backup validation mechanisms, and the ability to quickly respond to false positives.
As both Microsoft and DigiCert continue to investigate their respective incidents, the broader industry is left grappling with the challenges of maintaining trust in an increasingly complex digital ecosystem.
