Search 10,000+ fixes & guides ⌘K Write a guide
News 4 min read

Microsoft Defender Flags Cerdigent Trojan on Windows

Microsoft Defender flags Cerdigent Trojan on Windows after DigiCert certificate abuse, with many alerts likely false positives tied to revoked signing trust

Viktoras Jasinskas ·
0 Comments
5 minutes Windows 11

Microsoft Defender flags Cerdigent on Windows after certificate abuse reports

Microsoft Defender has been surfacing detections labeled Cerdigent on Windows systems worldwide.

Microsoft Defender has been flagging a threat labeled “Cerdigent” on Windows 11 and Windows Server systems worldwide, and the early evidence points to mis-issued digital certificates rather than a large active malware campaign. The alerts have appeared broadly enough to draw attention from users and security researchers, but the available information suggests many of the detections may be false alarms tied to signed software that now looks suspicious to Defender.

According to a report filed in Mozilla’s Bugzilla tracking system, the root of the issue is a security incident involving certificate authority DigiCert. The report says a threat actor gained limited access to DigiCert’s internal support systems after compromising a support analyst’s machine, then used initialisation codes for “a limited number of code signing certificates.”

Those codes, combined with approved orders, were enough to generate legitimate code-signing certificates that could make software appear trustworthy to Windows and to antivirus products such as Defender. That trust relationship matters here because code signing is meant to help systems separate approved software from malicious files, which also means a compromised certificate can blur that line without any obvious change to the software itself.

The result is an unusual detection pattern: software signed with the affected certificates can trigger Defender even when the alert does not point to a live infection on the device. Microsoft’s own threat database does little to expand on the label, beyond stating that “Cerdigent.A!dha can perform a number of actions of a malicious actor’s choice on your device.”

DigiCert’s revoked certificates and the malware link behind the detections

The Bugzilla report says 27 revoked certificates were explicitly linked to the threat actor. Of those, 11 were identified in certificate problem reports provided to DigiCert by community members who linked the certificates to malware, and 16 were identified during the company’s own investigation. In the same report, DigiCert said 33 of the 60 total certificates were revoked during its investigation as a precautionary measure.

The report also says the exploited certificates identified by the community member were used to sign the “Zhong Stealer” malware family. That detail helps explain why Defender detections are appearing now, but it does not automatically mean every warning marks an active compromise on the affected Windows machine. The certificate abuse appears to be the central mechanism, and that mechanism can cause security tools to react to trust failures rather than to a newly running payload on the endpoint.

“Cerdigent.A!dha can perform a number of actions of a malicious actor’s choice on your device.”

For users and administrators, that distinction matters because a warning tied to a revoked or mis-issued certificate can require a different response than a confirmed outbreak. In this case, the detection may reflect the aftermath of a signing trust problem, not necessarily an infection that is spreading across Windows 11 or Server PCs in real time.

Compromised code-signing trust can turn a malware alert into a false positive

Code-signing certificates sit at a sensitive point in the Windows trust model, so a problem in that layer can produce detections that look like malware activity even when the immediate issue is certificate validity. That is why this case can be harder to interpret than a straightforward Trojan report: the alert name sounds like an active threat, but the source material points to certificate abuse and revocation as the underlying trigger.

For now, the available information suggests many of the Cerdigent alerts may not indicate active infection but a false alarm. The report also notes that signature corrections are often issued quickly in cases of widespread false positives, and that appears to be the likely direction here as security vendors continue to update their detections.

Possible steps

  • Check whether the Defender alert matches a recently signed file or installer.
  • Review vendor updates for revised signatures or false-positive corrections.
  • Compare the alert with known certificate revocation notices.
  • Treat the warning as unresolved until the detection label changes.
  • Monitor security vendor advisories for confirmation of false-positive handling.
  • Verify whether the flagged software came from a trusted distribution path.
  • Escalate the case if the device also shows signs beyond the Defender alert.

Šaltinis: neowin.net

Did this fix work for you?
Viktoras Jasinskas

Written by

Viktoras Jasinskas
Network & Infrastructure Expert
Network diagnostics VPN troubleshooting DNS configuration Wi-Fi connectivity Proxy and firewall issues

Viktoras Jasinskas is a network and infrastructure expert covering connectivity issues for Windows home and business users. With a background in IT infrastructure, he approaches network problems methodically — isolating whether a fault lies in the OS network stack, driver layer, router configuration, or ISP. His guides address DNS failures, VPN connectivity problems, Wi-Fi drops, IP conflicts, proxy misconfigurations, and firewall rules that block legitimate traffic. Viktoras also contributes to the uGetFix news section, covering security vulnerabilities and network-related threat advisories.

251 guides published LinkedIn ↗ All articles →
0 Comments

Be the first to comment

Log in to post your comment
Log in to comment

Still worried? Run a free check.

Paste any URL or domain — we'll scan it against 4.2M known threats in 10 seconds.

View full scanner → Add to your website →