A previously unknown zero day vulnerability in Adobe Reader has been actively exploited since at least December 2025 through maliciously crafted PDF files distributed by threat actors. The activity was first identified and detailed by EXPMON researcher Haifei Li, who described the exploit as highly sophisticated in nature. Early traces of the campaign were observed when a suspicious file named Invoice540.pdf appeared on VirusTotal on November 28, 2025. A second related sample was later uploaded on March 23, 2026, suggesting continued operational use of the same exploit chain over an extended period.
Analysis of the malicious PDF files indicates that the attackers may be relying on social engineering techniques to encourage users to open the documents. The file names and content themes appear designed to resemble legitimate or familiar documents, increasing the likelihood of interaction. Once opened in Adobe Reader, the files automatically execute obfuscated JavaScript code embedded within the PDF structure. This script is capable of collecting sensitive information from the system and initiating communication with an external server to retrieve additional payloads. The execution occurs without requiring additional user approval beyond opening the file itself, which increases the risk of compromise in environments where PDF documents are frequently exchanged.
Security researchers have noted that some of the observed samples include Russian language lures and references linked to developments in the oil and gas sector in Russia. These contextual elements suggest that the attackers may be tailoring their payloads to specific audiences or industries to improve effectiveness. According to researcher Gi7w0rm, the malicious documents appear to function as an initial exploitation layer, enabling information collection and leakage while preparing the system for further compromise stages. The exploit has been observed to operate successfully on the latest versions of Adobe Reader, indicating that the vulnerability remains unpatched and potentially widespread in its impact.
The exploit mechanism reportedly abuses a zero day vulnerability that allows unauthorized execution of privileged Acrobat application programming interfaces. This capability enables deeper interaction with the system than normally permitted within PDF sandbox environments. The malicious code also includes functionality to exfiltrate collected data to a remote server identified as 169.40.2[.]68:45191, while also receiving additional JavaScript instructions for further execution. This structure allows the attacker to perform system fingerprinting, gather local data, and potentially deploy follow on payloads that could lead to remote code execution or sandbox escape scenarios depending on the environment and conditions of execution.
Researchers have also highlighted uncertainty around the next stage of the attack chain, as no response was received from the remote server during analysis. This absence of response may indicate that the testing environment did not meet required conditions for payload delivery, suggesting the presence of environment aware targeting logic. Despite incomplete visibility into later stages, the ability of the exploit to harvest data and prepare systems for further compromise has drawn attention from the cybersecurity community. Experts continue to monitor the activity closely, noting that the combination of information gathering and potential execution pathways presents a significant security concern for users handling PDF documents from untrusted sources.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
