Key Findings

• Threat actors have been actively exploiting a previously unknown zero-day vulnerability in Adobe Reader since at least November 2025

• Malicious PDF documents named with invoice-themed filenames use Russian language lures related to oil and gas industry issues to trick victims into opening them

• The exploit automatically executes obfuscated JavaScript upon opening to harvest sensitive data and receive additional malicious payloads

• The vulnerability allows execution of privileged Acrobat APIs even on fully updated versions of Adobe Reader

• Stolen data is exfiltrated to remote servers, with capability for follow-on remote code execution and sandbox escape attacks

• At least two samples have been discovered on VirusTotal, with the first appearing November 28, 2025 and a second on March 23, 2026

Background

Security researcher Haifei Li, founder of EXPMON, discovered the sophisticated exploit while analyzing suspicious files submitted to the platform. Despite showing low antivirus detection rates on VirusTotal, EXPMON's advanced "detection in depth" feature flagged the malicious PDFs for manual review. A second researcher using the moniker Gi7w0rm later corroborated the findings and provided additional context about the targeting and social engineering tactics employed.

Attack Mechanism

When a victim opens one of the weaponized PDF files, malicious JavaScript immediately executes within the Adobe Reader sandbox. The exploit abuses unpatched Acrobat APIs, specifically leveraging "util.readFileIntoStream()" to read arbitrary files accessible to the sandboxed Reader process. This allows attackers to collect a wide range of sensitive information from the victim's system including documents, credentials, and system configuration data.

Data Exfiltration and Secondary Payloads

The stolen information is sent to remote command and control servers at addresses including 169.40.2.68:45191 and 188.214.34.20:34123. After successful exfiltration, the servers can respond with additional JavaScript code for execution, creating a mechanism for staged attacks. This design allows attackers to profile targets before determining whether to deliver follow-on exploits for remote code execution or sandbox escape based on specific criteria.

Social Engineering Component

The attack leverages social engineering tactics with deceptive file names like "Invoice540.pdf" designed to appear as legitimate business documents. The use of Russian language content referencing current events in the oil and gas industry suggests victims are specifically targeted within that sector or geographic region, making the lures more believable and increasing the likelihood of opening the files.

Current Status and Implications

During analysis, researchers connected to the command servers but received no response or secondary payload, likely because the test environment did not meet the attacker's specific targeting criteria. The zero-day remains unpatched in current versions of Adobe Reader, and the security community has been alerted to remain vigilant for similar variants. Researchers are actively seeking assistance from the wider security community to fully analyze the exploit and determine its complete capabilities.

Sources

• https://thehackernews.com/2026/04/adobe-reader-zero-day-exploited-via.html

• https://securityaffairs.com/190558/hacking/malicious-pdf-reveals-active-adobe-reader-zero-day-in-the-wild.html

• https://hackread.com/adobe-reader-zero-day-exploit-data-malicious-pdfs/

• https://ground.news/article/researchers-spot-zero-day-attack-targeting-adobe-reader