Adobe Reader Zero-Day Exploited to Steal Data via Malicious PDFs
Adobe Reader zero-day actively exploited via malicious PDFs to steal data without user interaction.
Summary
A previously unknown vulnerability in Adobe Reader is being actively exploited in the wild since at least November 2025, discovered by security researcher Haifei Li. The attack leverages specially crafted PDFs with obfuscated JavaScript to hijack built-in APIs (util.readFileIntoStream and RSS.addFeed) and exfiltrate data to a remote server at 169.40.2.68. Attackers are using Russian-language lures referencing oil and gas industry topics, suggesting targeted campaigns, with no patch currently available from Adobe.
Full text
SecurityAdobe Reader Zero-Day Exploited to Steal Data via Malicious PDFs An Adobe Reader zero-day vulnerability is being actively exploited via malicious PDFs, allowing hackers to steal data without user interaction, with no patch available. byDeeba AhmedApril 9, 20262 minute read Hackers have been exploiting an as-yet unidentified flaw in Adobe Reader since at least November 2025. This zero-day vulnerability was first discovered by security expert Haifei Li, founder of EXPMON, a sandbox-based exploit detection system. How the attack works Haifei Li found that the attack is triggered as soon as a victim opens a specially crafted PDF file. One sample identified on VirusTotal was named “Invoice540.pdf,” suggesting the attackers are using fake invoices as a lure. Li notes that the exploit is particularly dangerous because it runs on the latest version of Adobe Reader without requiring any additional user interaction. Detected Sample (Source: Haifei Li) Once the file is open, it runs hidden, heavily obfuscated JavaScript code. This code hijacks two built-in software tools called APIs: util.readFileIntoStream, which is normally used to handle files, and RSS.addFeed, which usually manages web updates. By abusing these, the hackers can secretly steal data from the computer and send it to a remote server at the address 169.40.2.68. Li further explained in a blog post that this is just the first step because by collecting info and fingerprinting the computer, hackers can prepare for even worse actions. This includes Remote Code Execution (RCE), which lets them run their own programmes on the victim’s machine, or a Sandbox Escape (SBX) to bypass built-in security barriers and take full control. Dear security community/researchers, I'd really like to call to look at this https://t.co/BuvZtpBChe, this information shows that the threat actors behind this Adobe Reader 0day attack was not just collecting local information but was really delivering additional exploits, need…— Haifei Li (@HaifeiLi) April 8, 2026 Russian oil and gas lures The attackers seem to be focused on targeting specific groups. A security analyst, Giuseppe Massaro (Gi7w0rm), looked into the malicious documents, identifying that they were written in Russian and that the text in the PDFs talks about news and events in the Russian oil and gas industry to make the emails look real. Apparent #0day in Adobe Reader has been observed in the wild. Seems to exploit part of Adobe Readers JavaScript engine. Documents observed contain Russian language lures and refer to issues regarding current events related to the oil and gas industry in Russia. https://t.co/QRu63fuAP4— Gi7w0rm (@Gi7w0rm) April 8, 2026 More concerning is that this is not the first time Adobe Reader has faced similar issues. A previous flaw, tracked as CVE-2024-41869, was also reported by Haifei Li, although Adobe did not confirm whether it had been exploited in real-world attacks at the time. Adobe was notified about the flaw around 7 April, but they have not released an update to fix it just yet. Li, who has a long history of finding bugs at companies like Microsoft, said it is vital for the public to know about this now so they can stay safe. Since there isn’t any official fix or patch available as yet, be careful when opening any PDF files from people you don’t know, and those who manage office networks must block internet traffic that mentions Adobe Synchronizer in the header to stop the hackers from communicating with the infected computers. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts 0dayAdobeAdobe ReaderCyber AttackCybersecurityEXPMONHaifei LiPDFVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Read More Hacking News Security Ukrainian Hackers Breach Email of APT28 Leader, Who’s Wanted by FBI APT28, or Fancy Bear, is a Russian government-backed nefarious hacking group known for using spear-phishing campaigns against its targets. byWaqas Security Phishing Scam Scams and Fraud Office 365 Phishing Protection – Is Native Microsoft Protection Safe? For the last couple of years, there has been a surge in phishing attacks against businesses and unsuspecting… byWaqas Read More Security Privacy Proton CAPTCHA: New Privacy-First CAPTCHA Defense Against Bots Meet new Proton CAPTCHA from Proton AG, a custom-built CAPTCHA system designed to thwart bots and spammers. Proton… byWaqas Security 19-Year-Old ROBOT Flaw Resurfaces to Haunt Popular Websites If you believe that popular, trusted websites like Facebook and PayPal are not vulnerable to exploits from previous… byWaqas
Indicators of Compromise
- ip — 169.40.2.68
- malware — Adobe Reader zero-day (unidentified)
- cve — CVE-2024-41869