Threat actors have been using maliciously crafted PDF documents to exploit previously unknown zero-day vulnerabilities in Adobe Reader since at least December 2025.
The discovery, detailed by EXPMON’s Haifei Li, is described as a highly sophisticated PDF exploit. This artifact (“Invoice540.pdf”) first appeared on the VirusTotal platform on November 28, 2025. The second sample was uploaded to VirusTotal on March 23, 2026.
Given the name of the PDF document, there may be an element of social engineering involved, with the attacker persuading unsuspecting users to open the file in Adobe Reader. Once launched, it automatically triggers the execution of obfuscated JavaScript to collect sensitive data and receive additional payloads.
Security researcher Gi7w0rm told XPost that the observed PDF documents contained Russian language seductions and referred to current events related to Russia’s oil and gas industry.
“This sample serves as the first exploit with the ability to collect and leak various types of information, and may be followed by remote code execution (RCE) and sandbox escape (SBX) exploits,” Li said.
“It exploits a zero-day/unpatched vulnerability in Adobe Reader, allows execution of privileged Acrobat APIs, and is known to work with the latest versions of Adobe Reader.”
It also has the ability to leak collected information to a remote server (‘169.40.2’).[.]68:45191″) and additional JavaScript code to execute.
Li claimed that this mechanism could be used to collect local data, perform advanced fingerprinting attacks, and prepare for subsequent activities such as delivering additional exploits to achieve code execution and sandboxing.
The exact nature of this next stage of the exploit remains unknown as no response was received from the server. This may mean that the local test environment from which the request originates does not meet the required criteria to receive the payload.
“Still, this zero-day/unpatched ability to gather extensive information and the potential for subsequent RCE/SBX exploitation is enough for the security community to remain on high alert,” Li said.
(This is a developing story. Check back for more details.)
Source link
