Zero-Day Bug in Acrobat Reader Actively Exploited in the Wild

Published Date: April 10, 2026
Category: ShadowOpsIntel
Share:

A sophisticated zero-day PDF exploit targeting Adobe Reader was detected by the EXPMON system. The attack functions as a fingerprinting and reconnaissance stage, designed to profile victims before potentially delivering a full remote code execution (RCE) or sandbox escape (SBX) payload.

Severity: High

Vulnerability & Apis Abused

  • Zero-day/unpatched vulnerability allowing execution of privileged Acrobat JavaScript APIs without user interaction beyond opening the PDF
  • util.readFileIntoStream() – reads arbitrary local files accessible by the sandboxed Reader process
  • RSS.addFeed() – dual-purpose: exfiltrates collected data to C2 and receives follow-on JavaScript for execution
  • Confirmed working on Adobe Reader v26.00121367 (latest at time of writing)

Attack Chain

  1. Victim opens malicious PDF
  2. Obfuscated JavaScript executes (base64-encoded payload hidden in a form field object)
  3. Local system fingerprinting: language settings, Reader version, exact OS version (parsed from ntdll.dll), local PDF file path
  4. Data exfiltrated to C2 via RSS.addFeed() call
  5. C2 evaluates victim profile; if criteria met, returns encrypted (AES-CTR), compressed follow-on JavaScript payload for RCE/SBX

Obfuscation & Evasion

  • Multi-layer JavaScript obfuscation (base64 + custom encoding)
  • Payload encrypted with AES-CTR to evade network-based detection
  • Payload decompressed via zip_inflate() before execution

Campaign Context

  • Multi-layer JavaScript obfuscation (base64 + custom encoding)
  • Payload encrypted with AES-CTR to evade network-based detection
  • Payload decompressed via zip_inflate() before execution

Campaign Context

  • Initial sample submitted to EXPMON on March 26, 2026; appeared on VirusTotal on March 23, 2026 with only 5/64 detections
  • A new variant was confirmed on April 8, 2026 by researcher @greglesnewich, with a VT first-seen date of November 28, 2025 — indicating the campaign has been active for at least 4+ months
  • Behavior strongly suggests an APT-level, targeted campaign: the server performs active victim filtering before delivering the next-stage exploit

Recommendations

  1. Exercise caution with PDFs from untrusted sources until Adobe issues an official patch.
  2. Monitor and consider blocking outbound HTTP/HTTPS traffic where the User Agent is set to “Adobe Synchronizer”. This string is a key indicator of the exfiltration method used by this exploit.
  3. If business workflows permit, disable JavaScript in Adobe Reader entirely (Edit > Preferences > JavaScript > Uncheck ‘Enable Acrobat JavaScript’). This effectively kills the primary execution engine for this exploit.
  4. Monitor Adobe’s official security bulletins for the patch addressing this zero-day.
  5. Conduct a retro-hunt across mail gateways and file shares for the filename yummy_adobe_exploit_uwu.pdf or similar variants.
  6. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/1c6b8b94b3ad32fc76dc34f7daf614ac56762c703526ec06f82e0420074192a0/iocs

IOCs

SHA-256:65dca34b04416f9a113f09718cbe51e11fd58e7287b7863e37f393ed4d25dde7
SHA-256:54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f
IP:169.40.2[.]68
IP:188.214.34[.]20
Domain:ado-read-parser[.]com

Source:

  • https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html
  • https://www.linkedin.com/feed/update/urn:li:activity:7447732911405142016/
  • https://www.sophos.com/en-us/blog/adobe-reader-zero-day-vulnerability-in-active-exploitation

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Talk to an expert