Windows Defender detects stolen code-signing certificate as Trojan:Win32/Cerdigent.A!dha

[goretsky Supervisor]

Hello,
This is an evolving situation, but it appears that a legitimate root code-signing certificate issued by DigiCert was stolen by a threat actor for misuse. 

Microsoft is now detecting the stolen root code-signing certificate as "Trojan:Win32/Cerdigent.A!dha" in Microsoft Windows Defender, but there encyclopedia entry for it does not go into any details.

Computer security researcher Florian Roth has a discussion about it on Twitter here and an update here, and there is a somewhat technical discussion of the theft in Mozilla's bug tracking database here.  There's also an ongoing discussion on Reddit about it here.

At this point, there's not really a lot for most Windows users to do here.  This is, or at least was, a legitimate root code-signing certificate, so its presence on a system is not unexpected.  And just because it was found on a system does not mean the system has malware on it or was targeted by a threat actor.

I recommend monitoring the situation and wait for additional clarification from Microsoft.

Regards,

Aryeh Goretsky
 

Edited May 3 by goretsky
updated to clarify type of certificate

[hellowalkman Reporter]

Front page news article covering this: https://www.neowin.net/news/microsoft-defender-flagging-cerdigent-trojan-malware-on-windows-11-server-pcs-worldwide/