Cybersecurity researchers have uncovered a previously unknown zero-day vulnerability in Adobe Reader that attackers have been actively exploiting through specially crafted PDF files since late 2025.
The issue, analyzed by EXPMON researcher Haifei Li, involves a highly advanced PDF-based exploit designed to compromise systems as soon as the file is opened. One of the earliest known samples, named “Invoice540.pdf,” surfaced on VirusTotal in November 2025, with another variant appearing in March 2026.
How the Attack Works
The attack relies heavily on social engineering. The PDF files are disguised as legitimate documents, likely invoices, to trick users into opening them.
Once opened in Adobe Reader, the file silently executes hidden JavaScript code. This code is used to:
- Collect sensitive information from the system
- Communicate with an external server
- Download and execute additional malicious payloads
Targeting and Lures
Researchers observed that some of the malicious PDFs include Russian-language content. These files reference real-world developments in the oil and gas sector, suggesting the attackers are tailoring their lures to specific targets or regions.
Exploit Capabilities
The malicious PDF acts as an entry point for a broader attack chain. Its capabilities include:
- Gathering system and user data
- Sending collected information to a remote server
- Enabling further exploitation, potentially including:
- Remote Code Execution (RCE)
- Sandbox escape techniques
The exploit takes advantage of an unpatched flaw in Adobe Reader that allows unauthorized access to privileged Acrobat functions. Notably, it has been confirmed to work even on the latest versions of the software.
Command-and-Control Activity
The malware connects to an external server to exfiltrate data and receive additional instructions. It can also request more JavaScript payloads, allowing attackers to expand their control over the infected system.
However, during analysis, researchers did not receive a follow-up payload from the server. This suggests the attackers may be selectively delivering second-stage exploits only to specific targets that meet certain conditions.
Why This Matters
Even without the full second-stage payload, the current capabilities of this exploit are already dangerous. The ability to collect detailed system information and prepare for further attacks makes it a serious threat.
Security experts warn that this vulnerability could be used as a stepping stone for more advanced attacks, and organizations should remain alert while waiting for an official patch.
Key Takeaway
This discovery highlights how attackers continue to use everyday file formats like PDFs as entry points for sophisticated attacks. Until a fix is released, users and organizations should treat unexpected PDF attachments with caution, especially those disguised as invoices or urgent documents.