Anyone else seeing Microsoft #Defender flagging #DigiCert root certificate registry keys as malware?
We’ve seen reports that Defender signature update from April 30 added a detection called:
Trojan:Win32/Cerdigent.A!dha
In some environments, Defender apparently detected DigiCert Root CA certificate registry entries and removed them from the trust store.
The affected cert hashes mentioned so far:
0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
Example path:
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
There’s also a Reddit comment suggesting Microsoft has started restoring the certs and that admins can check this via Advanced Hunting in Defender:
DeviceRegistryEvents
| where RegistryKey contains "0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43"
or RegistryKey contains "DDFB16CD4931C973A2037D3FC83A4D7D775D05E4"
| where ActionType == "RegistryKeyCreated"
| where Timestamp > datetime(2026-05-03T04:00:00)
| project Timestamp, DeviceName, ActionType, InitiatingProcessFileName
| order by Timestamp desc
On an affected device, this can also be checked with:
certutil -store AuthRoot | findstr -i "digicert"
Could become an annoying day for admins if this spreads
https://t.co/VflLyFgssp
The second vulnerability (CVE-2026-21510) bypasses security features such as the Microsoft Defender SmartScreen and executes attacker-controlled code, which is stored on the attacker's remote server.
An incomplete patch for CVE-2026-21510 (an #APT28 exploit) created a new zero-click vulnerability: CVE-2026-32202.
https://t.co/zkA6AXs2Uo
🚨 CVE-2026-3055 (CVSS 9.3), a unauth memory overread vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway appliances that could see active exploitation itw
Vulnerability detection script available here:
https://t.co/7Ct8oXOgCP
Patches are available as per Citrix's advisory:
https://t.co/qNn3IRJXpF
Most exploitation activity related to the CVE-2025-55182 vulnerability affecting React Server Components, Next.js, and related frameworks originated from red teams assessments, but observed exploitation attempts by threat actors deliver various payloads. https://t.co/QG4SgcoqlW
This pre-authentication remote code execution (RCE) vulnerability (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) could allow attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request.
In this blog, Microsoft Defender researchers share insights and detailed analysis of observed exploitation activity, as well as mitigation, detection, and hunting guidance. Further investigation towards providing stronger protection measures is in progress, and the blog will be updated when more information becomes available.
8 million requests, $400 later - we’re back. 🚀
We have demonstrated supply chain attacks that could have allowed us to trivially compromise critical infra. networks, including .gov, .mil, and more.
This is real Attack Surface Management.
https://t.co/PCuioOCiRi
Today I am writing a guide on the following topic: how to talk to idiots who believe that fully-automated, humanless, autonomous #SOC is coming any day?
Stay ahead of Active Directory targeting. We teamed with @ASDGovAu and others to provide recommended strategies to prevent and detect malicious actors attempting to access the keys to your network. Read our joint guidance: https://t.co/FeciBYQtvW
Appreciation post time.
There are a lot of security researchers who have an entire career focused on tracking botnets, or information stealers, and do so for years with little to no recognition. We'd like to take a minute to shoutout a few people who we think are doing great stuff and not getting enough love and respect.
- @malwrhunterteam, consistently for years tracking malware, initial access malware, and openly sharing information it
- @Max_Mal_, @Cryptolaemus1 (and whoever is part of the group), @JAMESWT_MHT, and @1ZRR4H, for ruthlessly tracking many of the big names botnets and loaders and openly sharing information on it
- @JaffaCakes118, and @Neiki__, they both are some of the largest malware collectors and distributors. They've freely shared millions of malware samples for years.
- @Gootloader, actively tracking Gootloader, the initial access malware used by many ransomware groups, and doing so, for free, for literally years.
- @bmmaloney97, the number one expert in Windows One Drive analysis and internal. He has openly and freely shared his research for years.
- @RussianPanda9xx, for actively tracking Lumma Stealer (and tons of others), for what feels like forever, and openly sharing information and updates on the malware.
There's so many more we could shoutout, but we can't think of anymore off the top of our our head. But your work is respected and remembered. Thank you so much for the things you do for the researchers and the world.
The award-winning Qualys Threat Research Unit (TRU) has discovered a critical vulnerability in OpenSSH, designated CVE-2024-6387 and aptly named "regreSSHion." This Remote Code Execution bug grants full root access, posing a significant exploitation risk. https://t.co/uDHHSuzd5f
Announcing the JA4+ Database!
https://t.co/ZqhIkM1dNn
Under *very* active development but ready for use. Expect orders of magnitude more data and JA4+ combinations over the next few months. I recommend downloading the DB and loading up in your data explorer of choice for now.
Everyone has a different use-case for JA4+ so we're trying to make it easy to find what you're looking for. Below are some examples you can do in a data explorer like Elastic.
JA4 to JA4H
JA4 to User-Agent String
JA4 to Application
JA4 to Library
JA4T to Device
JA4X to Device
JA4X to Application
JA4X to Issuers
JA4X to JA4T
etc. etc. etc.
There are so many combinations and use cases for each.
Please send me any feedback, improvement suggestions.
🚀I'm finally releasing GraphSpy to the public!🕵️
A powerful offensive security tool focused on making initial access and post-compromise enumeration in Microsoft Entra and M365 much more convenient during penetration tests and red team assessments!
https://t.co/OfI2TanQ61
Mandiant and VMware Product Security found that UNC3886 has been exploiting CVE-2023-20867 since 2021.
Mandiant recommends VMware users update to the latest version of vCenter to account for this vulnerability seeing exploitation in the wild. ⬇️
https://t.co/2zCH6uNfJg
🚨Active Exploitation🚨
➡️CVE-2023-22527 - Confluence template injection
➡️Executed whoami
➡️Source IP: 45.61.137[.]90
➡️UA: Opera/9.89.(Windows 95; sv-FI) Presto/2.9.181 Version/12.00
➡️PCAP, full POST URI and more available in our AllIntel service https://t.co/RXnF6Mx8fB
Hello Adversary Simulation and Purple Teaming enthusiasts!
@Sam0x90 the author of Purple Team Strategies book and Security Analyst Lead at Palo Alto Networks, will be joining the #AdversaryGuru livestream on 12th December at 22:00 GST [UTC+4]
Session info: https://t.co/jvrI8iTyGl
#adversarysimulation #purpleteam #adversaryvillage
Please do the incident response team a favor, and check that the X-Forwarded-For Header is set on all your reverse proxies / load-balancers / etc.
They will thank you later.
My colleagues integrated THOR ⚡️with the Velociraptor 🦖toolkit and I'm impressed with the seamless enhancement.
It extends the detection coverage and capabilities immensely.
Check it out if you're already using @velocidex.