Months-old Adobe Reader zero-day uses PDFs to size up targets
Summary
Security researcher Haifei Li (EXPMON) has flagged an active campaign that exploits an apparent zero-day in Adobe Acrobat Reader. Malicious PDFs execute heavily obfuscated JavaScript as soon as the document is opened, requiring no extra clicks and reportedly affecting up-to-date Reader installs.
Rather than immediately deploying a full payload, the PDF uses legitimate Acrobat APIs to harvest system information — OS details, language settings, file paths and even local files — and sends that reconnaissance back to attacker-controlled servers. If the victim matches the attacker’s criteria, a second-stage payload is fetched and run inside Reader, potentially enabling remote code execution or sandbox escape. Samples uploaded to VirusTotal date back to 28 November 2025, indicating the campaign has been active for months. There is currently no CVE, no patch, and Adobe has not publicly responded.
Key Points
- The exploit auto-runs via obfuscated JavaScript embedded in PDFs and needs only the file to be opened/viewed.
- Attackers abuse legitimate Acrobat APIs to fingerprint machines and harvest local data.
- Reconnaissance data is exfiltrated to attacker servers to decide whether a second-stage payload should be delivered.
- The second stage can escalate the attack up to remote code execution or a sandbox escape.
- Lure documents include Russian-language content referencing oil and gas events, suggesting a targeted audience rather than indiscriminate mass distribution.
- Related samples appeared on VirusTotal on 28 Nov 2025, implying the campaign has been active for several months before public detection.
- No CVE or patch has been published and Adobe has not publicly responded, leaving users exposed.
Context and Relevance
This story matters because it shows a stealthy, selective approach to exploitation: attackers first profile victims, then decide whether to fully compromise them. That targeted modus operandi is consistent with espionage-style operations and high-value intrusions rather than broad commodity malware. The lengthy undetected window emphasises gaps in detection for document-borne threats and the risks of trusting seemingly benign file formats.
Organisations and defenders should treat PDFs as active attack surfaces: restrict automatic rendering where possible, enforce protected view / sandboxing, harden endpoint detection and response (EDR) rules, block suspicious outbound connections from Reader processes, and educate users to avoid opening PDFs from unknown or untrusted sources.
Why should I read this?
Because if you or your colleagues open PDFs at work, this could be how attackers decide whether you’re worth targeting. It’s not a loud, obvious hack — it quietly sizes up the machine first. Read this so you know to treat PDFs with a bit more suspicion and to push for practical mitigations now.
Author style
Punchy: This is high‑risk and stealthy — for IT teams and security pros it should trigger immediate checks. If you manage endpoints or handle sensitive docs, this isn’t background noise: check controls, logging and network egress for Reader processes right away.