Menace actors have been exploiting a beforehand unknown zero-day vulnerability in Adobe Reader utilizing maliciously crafted PDF paperwork since at the very least December 2025.
The discovering, detailed by EXPMON’s Haifei Li, has been described as a highly-sophisticated PDF exploit. The artifact (“Invoice540.pdf”) first appeared on the VirusTotal platform on November 28, 2025. A second pattern was uploaded to VirusTotal on March 23, 2026.
Given the title of the PDF doc, it is seemingly that there’s a component of social engineering concerned, with the attackers luring unsuspecting customers into opening the information on Adobe Reader. As soon as launched, it mechanically triggers the execution of obfuscated JavaScript to reap delicate knowledge and obtain further payloads.
Safety researcher Gi7w0rm, in an X publish, mentioned the PDF paperwork noticed comprise Russian language lures and seek advice from points concerning present occasions associated to the oil and fuel trade in Russia.
“The pattern acts as an preliminary exploit with the potential to gather and leak numerous kinds of info, doubtlessly adopted by distant code execution (RCE) and sandbox escape (SBX) exploits,” Li mentioned.
“It abuses zero-day/unpatched vulnerability in Adobe Reader that permits it to execute privileged Acrobat APIs, and it’s confirmed to work on the most recent model of Adobe Reader.”
It additionally comes with capabilities to exfiltrate the collected info to a distant server (“169.40.2[.]68:45191”) and obtain further JavaScript code to be executed.
This mechanism, Li argued, could possibly be used to gather native knowledge, carry out superior fingerprinting assaults, and set the stage for follow-on exercise, together with delivering further exploits to realize code execution or sandbox.
The precise nature of this next-stage exploit stays unknown as no response was obtained from the server. This, in flip, may suggest the native testing setting from which the request was issued didn’t meet the required standards to obtain the payload.
“Nonetheless, this zero-day/unpatched functionality for broad info harvesting and the potential for subsequent RCE/SBX exploitation is sufficient for the safety group to stay on excessive alert,” Li mentioned.
(It is a creating story. Please test again for extra particulars.)
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s tendencies in the present day: learn extra, subscribe to our publication, and grow to be a part of the NextTech group at NextTech-news.com
