Skip to main content
TechnologyApr 9, 2026· 4 min read

Hackers Exploit Secret Bug in Adobe Reader: No Patch Available, All Users at Risk

A zero-day vulnerability in Adobe Reader that has yet to be resolved has been actively exploited since at least November 2025. This was made public by Haifei Li, a security researcher and founder of EXPMON, a sandbox-based exploit detection platform, who on Tuesday, April 7, released details of a malicious campaign based on specially crafted PDF files targeting fully updated systems. The first sample identified on VirusTotal dates back to November 28, 2025, although the most documented activity seems to concentrate starting from December.

How the exploit works

The attack vector is a PDF that incorporates heavily obfuscated JavaScript within form objects. The code is decoded at runtime and exploits a logic flaw in the JavaScript engine of Adobe Reader to invoke privileged Acrobat APIs from within the sandboxed process, bypassing isolation protections. The most relevant operational aspect: no interaction from the victim is required beyond opening the file. Double-clicking the document is enough to trigger the entire chain.

So, this is what I was busy working on... A really interesting (and sophisticated) Adobe Reader PDF "fingerprinting" exploit involving zero-day and allowing to launch additional maybe RCE/SBX exploitation! Haifei Li April 8, 2026

Once executed, the script collects a detailed profile of the system: language settings, Adobe Reader version, full operating system version, and local path of the opened PDF. This information constitutes the "fingerprint" that names the technique. The exploit then uses the privileged API util.readFileIntoStream to read arbitrary files accessible to the sandboxed process, including system libraries and files in system directories like Windows\system32. CyberPress researchers have demonstrated in a controlled environment that the exploit successfully reads files from that folder and exfiltrates them to the attacker's server, even in the absence of a second-stage payload.

Exfiltration and Potential RCE

For communication with the command and control structure, the exploit abuses the RSS.addFeed API in a privileged context, using it to both send collected data and retrieve further JavaScript to execute. The hardcoded C2 server in the analyzed samples is 169.40.2.68:45191. The payload returned is decrypted client-side, a technique designed to evade network traffic inspection systems. During testing, the server accepted connections but did not respond with additional exploit code: a behavior consistent with a strict victim selection logic, where the complete payload is delivered only to targets that meet certain fingerprinting criteria.

Li clarified that this first phase is just the foothold: the sample is designed to gather data and prepare the ground for subsequent exploits capable of achieving Remote Code Execution (RCE) and Sandbox Escape (SBX). The server did not respond during tests, so the exact nature of the second stage remains unknown, but the practical validation of the path to RCE has already been confirmed: any JavaScript returned from the C2 server would be executed within Adobe Reader.

Traces on VirusTotal and Low Detection

The first identified sample, named "Invoice540.pdf", appeared on VirusTotal on November 28, 2025, indicating that the infrastructure was already operational before the initially estimated timeframe. A second sample was uploaded on March 23, 2026. Both exhibited a very low detection rate on traditional antivirus engines at the time of discovery, highlighting how successfully the adopted obfuscation technique evades conventional solutions. The sample that triggered the alert on EXPMON was identified as "yummy_adobe_exploit_uwu.pdf", an intentionally innocuous name. What made it interesting was not the presence of classic malware but its runtime behavior: it is the exploit logic that escapes signature-based engines.

Russian Lures and Campaign Context

An apparent #0day in Adobe Reader has been observed in the wild. It seems to exploit part of Adobe Reader's JavaScript engine. The documents observed contain Russian language lures and refer to issues regarding current events related to the oil and gas industry in Russia. Gi7w0rm

April 8, 2026

The analysis by threat intelligence analyst Gi7w0rm added a geopolitical context: the PDF documents used in the attacks contain Russian language lures that refer to current events in the Russian oil & gas sector. This indicates a campaign with specific targeting, likely aimed at professionals or organizations active in that sector. The overall technical level of the chain, from the sophistication of the obfuscation to the victim selection logic to the client-side decryption mechanism of the payload, is consistent with a well-funded threat actor or nation-state level capabilities. No formal attribution has been made by researchers, but the set of indicators reasonably excludes an opportunistic or poorly structured scenario.

No Patch, Available Mitigations

The findings from the research and analysis have been shared with Adobe, but at the time of publication of this article, no security update is available. Li advised users not to open PDFs from unverified contacts until a patch is released. For those managing the security of networks and systems, the most immediate mitigation is to monitor and block HTTP/HTTPS traffic containing the string "Adobe Synchronizer" in the User-Agent header, which is the marker used by the exploit for C2 communications. It should be noted that attackers may rotate infrastructure, so blocking the hardcoded IP is helpful but not sufficient as an exclusive measure. Submitting suspicious PDF samples to EXPMON Public remains one of the few currently effective detection countermeasures against this class of attack.

Google AI Overviews Makes Few Errors, But a Lot: 57 Million Incorrect Answers Per HourHow to Easily Test OpenClaw Thanks to Aruba Cloud VPS