A previously unknown zero-day vulnerability in Adobe Reader has been actively exploited through malicious PDF files since at least December 2025. The campaign involves specially crafted documents that trigger hidden code execution when opened, raising concerns over data theft and further system compromise.
Exploit delivered through malicious PDF files
Researchers said the attack relies on socially engineered PDF documents designed to lure users into opening them in Adobe Reader. Once opened, the files automatically execute obfuscated JavaScript, enabling attackers to harvest sensitive data and potentially deploy additional malicious payloads.
The exploit was first observed in a file identified as “Invoice540.pdf,” which appeared on the VirusTotal platform on November 28, 2025. A second sample was later uploaded on March 23, 2026. The activity has been described as a highly sophisticated PDF-based exploit targeting unpatched systems.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
Capability to steal data and enable further attacks
The malicious files act as an initial entry point, with the ability to collect and leak various types of information. Researchers noted that the exploit may also lead to remote code execution and sandbox escape, significantly increasing its impact.
The vulnerability allows attackers to execute privileged Acrobat application programming interfaces, even on the latest version of Adobe Reader. It also includes mechanisms to send collected data to a remote server and receive additional JavaScript instructions for further execution.
The documents observed in the campaign reportedly contain Russian-language lures and reference issues related to current events in the oil and gas sector in Russia, suggesting targeted social engineering elements.
Ongoing risks and unanswered questions
The exploit chain appears capable of supporting advanced follow-on activity, including fingerprinting attacks and delivery of additional payloads. However, the exact nature of the next-stage exploit remains unclear, as no response was received from the remote server during analysis.
Researchers indicated that the testing environment used may not have met the conditions required to receive further payloads. Despite this, the presence of an unpatched vulnerability with broad data harvesting capabilities has prompted warnings within the security community.
The situation remains under observation, with experts advising caution as the threat continues to evolve.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
