Risk actors have been exploiting a beforehand unknown zero-day vulnerability in Adobe Reader utilizing maliciously crafted PDF paperwork since a minimum of December 2025.
The discovering, detailed by EXPMON’s Haifei Li, has been described as a highly-sophisticated PDF exploit. The artifact (“Invoice540.pdf”) first appeared on the VirusTotal platform on November 28, 2025. A second pattern was uploaded to VirusTotal on March 23, 2026.
Given the identify of the PDF doc, it is probably that there’s a component of social engineering concerned, with the attackers luring unsuspecting customers into opening the recordsdata on Adobe Reader. As soon as launched, it routinely triggers the execution of obfuscated JavaScript to reap delicate information and obtain further payloads.
Safety researcher Gi7w0rm, in an X submit, mentioned the PDF paperwork noticed comprise Russian language lures and confer with points relating to present occasions associated to the oil and gasoline business in Russia.
“The pattern acts as an preliminary exploit with the potential to gather and leak numerous varieties of data, doubtlessly adopted by distant code execution (RCE) and sandbox escape (SBX) exploits,” Li mentioned.
“It abuses zero-day/unpatched vulnerability in Adobe Reader that permits it to execute privileged Acrobat APIs, and it’s confirmed to work on the newest model of Adobe Reader.”
It additionally comes with capabilities to exfiltrate the collected data to a distant server (“169.40.2[.]68:45191”) and obtain further JavaScript code to be executed.
This mechanism, Li argued, may very well be used to gather native information, carry out superior fingerprinting assaults, and set the stage for follow-on exercise, together with delivering further exploits to attain code execution or sandbox.
The precise nature of this next-stage exploit stays unknown as no response was obtained from the server. This, in flip, might suggest the native testing atmosphere from which the request was issued didn’t meet the mandatory standards to obtain the payload.
“Nonetheless, this zero-day/unpatched functionality for broad data harvesting and the potential for subsequent RCE/SBX exploitation is sufficient for the security neighborhood to stay on excessive alert,” Li mentioned.
(This can be a creating story. Please examine again for extra particulars.)
