Windows “Cerdigent” Threat Warnings Spread, But Many May Be False Positives

Microsoft Defender is warning users about a threat labeled “Cerdigent” on Windows systems, but early analysis suggests many of these alerts may not reflect real infections.

The detections appeared across multiple systems globally, raising concerns among users and IT admins. However, the issue seems linked to a broader certificate security incident rather than a newly spreading malware strain.

Certificate breach behind the alerts

The root cause traces back to a breach involving DigiCert, a major certificate authority responsible for issuing trusted digital certificates.

An attacker reportedly compromised a DigiCert support employee’s machine and gained access to certificate initialization codes. Using this access, the attacker generated legitimate code-signing certificates.

These certificates allowed malicious software to appear trusted by Windows and security tools, effectively bypassing standard trust checks.

Malware signed as legitimate software

The attacker used the compromised certificates to sign malware known as Zhong Stealer. Because the files carried valid signatures, systems treated them as safe applications.

This tactic blurs the line between legitimate and malicious software, making detection significantly harder for antivirus tools.

Microsoft Defender’s “Cerdigent” detection appears to flag activity related to this certificate abuse rather than identifying a distinct malware family.

DigiCert revokes affected certificates

DigiCert responded by revoking 60 certificates in total, including 27 directly tied to the attacker’s activity, while another 33 were pulled as a precaution. This move limits further abuse, but some systems may continue to trigger alerts until security databases are fully updated.

Why the alerts may be false positives

Many of the current “Cerdigent” warnings appear to stem from files that were previously trusted but are now signed with revoked certificates.

This shift causes legitimate-looking files to appear suspicious, prompts security tools to flag activity retroactively, and leads systems to generate alerts even without an active compromise. As a result, users may encounter warnings despite having no actual malware on their devices.

What users should do now

Users and administrators should take a measured approach:

• Monitor updates from Microsoft and security vendors
• Wait for updated Defender signatures and clarifications
• Avoid deleting files immediately unless confirmed malicious
• Check for additional signs like unusual processes or data exfiltration

Panic-driven actions could disrupt normal system operations without improving security.

Broader security implications

This incident highlights a key weakness in trust-based security systems. Code-signing certificates play a central role in verifying software integrity, and their compromise can undermine that trust model.

Even a limited breach can trigger widespread alerts and confusion across ecosystems that rely heavily on certificate validation.

Microsoft recently warned about a high-risk Linux kernel vulnerability that could allow privilege escalation across multiple distributions. The company also fixed a crash affecting protected PDFs in Microsoft Edge and began blocking drivers used by Macrium Reflect due to security risks.

The “Cerdigent” situation adds to a growing list of security challenges, showing how even trusted infrastructure can become a vector for disruption.

Via Neowin