Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025

Summary

Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using sophisticated, socially-engineered PDF documents since at least December 2025. The exploit, which uses obfuscated JavaScript, can harvest sensitive data, achieve remote code execution, and escape sandboxes. The malicious PDFs contain Russian-language lures related to oil and gas industry issues and exfiltrate data to C2 infrastructure.

Full text

Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 Ravie LakshmananApr 09, 2026Vulnerability / Threat Intelligence Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025. The finding, detailed by EXPMON's Haifei Li, has been described as a highly-sophisticated PDF exploit. The artifact ("Invoice540.pdf") first appeared on the VirusTotal platform on November 28, 2025. A second sample was uploaded to VirusTotal on March 23, 2026. Given the name of the PDF document, it's likely that there is an element of social engineering involved, with the attackers luring unsuspecting users into opening the files on Adobe Reader. Once launched, it automatically triggers the execution of obfuscated JavaScript to harvest sensitive data and receive additional payloads. Security researcher Gi7w0rm, in an X post, said the PDF documents observed contain Russian language lures and refer to issues regarding current events related to the oil and gas industry in Russia. "The sample acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits," Li said. "It abuses zero-day/unpatched vulnerability in Adobe Reader that allows it to execute privileged Acrobat APIs, and it is confirmed to work on the latest version of Adobe Reader." It also comes with capabilities to exfiltrate the collected information to a remote server ("169.40.2[.]68:45191") and receive additional JavaScript code to be executed. This mechanism, Li argued, could be used to collect local data, perform advanced fingerprinting attacks, and set the stage for follow-on activity, including delivering additional exploits to achieve code execution or sandbox. The exact nature of this next-stage exploit remains unknown as no response was received from the server. This, in turn, could imply the local testing environment from which the request was issued did not meet the necessary criteria to receive the payload. "Nevertheless, this zero-day/unpatched capability for broad information harvesting and the potential for subsequent RCE/SBX exploitation is enough for the security community to remain on high alert," Li said. (This is a developing story. Please check back for more details.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Adobe Reader, cybersecurity, Malware, remote code execution, social engineering, Threat Intelligence, Vulnerability, zero-day Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• ip — 169.40.2.68

Entities