Threat actors have been using malicious PDF files to exploit a previously unknown Adobe Reader zero-day since at least December 2025, according to a technical analysis by EXPMON. The activity was tied to files that could run obfuscated JavaScript, steal data and receive more payloads.
KEY FACTS
- First seen a sample named “Invoice540.pdf” appeared on VirusTotal on Nov. 28, 2025.
- Second sample was uploaded to VirusTotal on March 23, 2026.
- Behavior the PDF launches obfuscated JavaScript to harvest information and request more code.
- Scope the flaw is said to work on the latest version of Adobe Reader.
- Possible follow-on the sample may support later remote code execution and sandbox escape activity.
The document lures appear to use Russian language themes and mention current events tied to the oil and gas industry in Russia, security researcher Gi7w0rm said in an X post. The naming of the files suggests social engineering was part of the delivery method.
Li said the sample can collect and leak information and can exfiltrate data to a remote server at 169.40.2[.]68:45191. It can also receive additional JavaScript code for execution. The exact next-stage payload is unknown because no response was received from the server during testing.
The report says the exploit abuses a zero-day or unpatched Adobe Reader flaw that allows privileged Acrobat APIs to run. It also says the issue has been confirmed on the latest Adobe Reader release. The disclosure does not identify a patch or mitigation.
WHY IT MATTERS
The reported behavior suggests a file-based attack that can gather sensitive data before any further payload is delivered. That creates risk for users who open malicious PDFs and for organizations that rely on Adobe Reader in routine document workflows.