Zero-Day Bug in Acrobat Reader Actively Exploited in the Wild

A sophisticated zero-day PDF exploit targeting Adobe Reader was detected by the EXPMON system. The attack functions as a fingerprinting and reconnaissance stage, designed to profile victims before potentially delivering a full remote code execution (RCE) or sandbox escape (SBX) payload.

Severity: High

Vulnerability & Apis Abused

• Zero-day/unpatched vulnerability allowing execution of privileged Acrobat JavaScript APIs without user interaction beyond opening the PDF
• util.readFileIntoStream() – reads arbitrary local files accessible by the sandboxed Reader process
• RSS.addFeed() – dual-purpose: exfiltrates collected data to C2 and receives follow-on JavaScript for execution
• Confirmed working on Adobe Reader v26.00121367 (latest at time of writing)

Attack Chain

1. Victim opens malicious PDF
2. Obfuscated JavaScript executes (base64-encoded payload hidden in a form field object)
3. Local system fingerprinting: language settings, Reader version, exact OS version (parsed from ntdll.dll), local PDF file path
4. Data exfiltrated to C2 via RSS.addFeed() call
5. C2 evaluates victim profile; if criteria met, returns encrypted (AES-CTR), compressed follow-on JavaScript payload for RCE/SBX

Obfuscation & Evasion

• Multi-layer JavaScript obfuscation (base64 + custom encoding)
• Payload encrypted with AES-CTR to evade network-based detection
• Payload decompressed via zip_inflate() before execution

Campaign Context

• Multi-layer JavaScript obfuscation (base64 + custom encoding)
• Payload encrypted with AES-CTR to evade network-based detection
• Payload decompressed via zip_inflate() before execution

Campaign Context

• Initial sample submitted to EXPMON on March 26, 2026; appeared on VirusTotal on March 23, 2026 with only 5/64 detections
• A new variant was confirmed on April 8, 2026 by researcher @greglesnewich, with a VT first-seen date of November 28, 2025 — indicating the campaign has been active for at least 4+ months
• Behavior strongly suggests an APT-level, targeted campaign: the server performs active victim filtering before delivering the next-stage exploit

Recommendations

1. Exercise caution with PDFs from untrusted sources until Adobe issues an official patch.
2. Monitor and consider blocking outbound HTTP/HTTPS traffic where the User Agent is set to “Adobe Synchronizer”. This string is a key indicator of the exfiltration method used by this exploit.
3. If business workflows permit, disable JavaScript in Adobe Reader entirely (Edit > Preferences > JavaScript > Uncheck ‘Enable Acrobat JavaScript’). This effectively kills the primary execution engine for this exploit.
4. Monitor Adobe’s official security bulletins for the patch addressing this zero-day.
5. Conduct a retro-hunt across mail gateways and file shares for the filename yummy_adobe_exploit_uwu.pdf or similar variants.
6. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/1c6b8b94b3ad32fc76dc34f7daf614ac56762c703526ec06f82e0420074192a0/iocs

IOCs

Source:

• https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html
• https://www.linkedin.com/feed/update/urn:li:activity:7447732911405142016/
• https://www.sophos.com/en-us/blog/adobe-reader-zero-day-vulnerability-in-active-exploitation

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.