{"id":232881,"date":"2026-04-09T07:15:00","date_gmt":"2026-04-09T11:15:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/09\/adobe-reader-zero-day-exploited-via-malicious-pdfs-since-december-2025\/"},"modified":"2026-04-09T11:05:10","modified_gmt":"2026-04-09T15:05:10","slug":"adobe-reader-zero-day-exploited-via-malicious-pdfs-since-december-2025","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/09\/adobe-reader-zero-day-exploited-via-malicious-pdfs-since-december-2025\/","title":{"rendered":"Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/adobe-reader-zero-day-exploited-via.html\">Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/adobe-reader-zero-day-exploited-via.html\">https:\/\/thehackernews.com\/2026\/04\/adobe-reader-zero-day-exploited-via.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-09 07:15:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Apr 09, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Threat Intelligence<\/span><\/p>\n<p>Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December\u00a02025.<\/p>\n<p>The finding, detailed by EXPMON&#8217;s Haifei Li, has\u00a0been described as a highly-sophisticated PDF exploit.\u00a0The artifact (&#8220;Invoice540.pdf&#8221;) first appeared on the VirusTotal platform on November 28, 2025.\u00a0A second\u00a0sample was uploaded to VirusTotal on March 23,\u00a02026.<\/p>\n<p>Given the name of the PDF document, it&#8217;s likely that there is an element of social engineering involved, with the attackers luring unsuspecting users into opening the files on Adobe Reader. Once\u00a0launched, it automatically triggers the execution of obfuscated JavaScript to harvest sensitive data and receive additional\u00a0payloads.<\/p>\n<p>Security researcher Gi7w0rm, in\u00a0an X\u00a0post, said the PDF documents observed contain Russian language lures and refer to issues regarding current events related to the oil and gas industry in\u00a0Russia.<\/p>\n<p>&#8220;The sample acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits,&#8221; Li\u00a0said.<\/p>\n<p>&#8220;It abuses zero-day\/unpatched vulnerability in Adobe Reader that allows it to execute privileged Acrobat APIs, and it is confirmed to work on the latest version of Adobe\u00a0Reader.&#8221;<\/p>\n<p>It also comes with capabilities to exfiltrate the collected information to a remote server (&#8220;169.40.2[.]68:45191&#8221;) and receive additional JavaScript code to be\u00a0executed.<\/p>\n<p>This mechanism, Li argued, could be used to collect local data, perform advanced fingerprinting attacks, and set the stage for follow-on activity, including delivering additional exploits to achieve code execution or\u00a0sandbox.<\/p>\n<p>The exact nature of this next-stage exploit remains unknown as no response was received from the server. This, in turn, could imply the local testing environment from which&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/adobe-reader-zero-day-exploited-via.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 https:\/\/thehackernews.com\/2026\/04\/adobe-reader-zero-day-exploited-via.html Publish Date: 2026-04-09 07:15:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":232882,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgwKu6NdwE0kgawNywNJK7cGCEdRfzOKwsH9AeIT7zJ49RPq_KJAG3SyjH44SS8Zsd-gAUFDFKnfdpaFH8sAZT9wevB2fS0QVk-gCp8xg7j1XcwGJzv05xpoMN4O-oiEd1v3U3kuqW8cTGk0QlHPPS5GgifHq5DBgrE9R_6GxqxYb1erEN_qvAnUG6VFkx0\/s1600\/adobe.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31,27],"class_list":["post-232881","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/232881"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=232881"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/232881\/revisions"}],"predecessor-version":[{"id":232883,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/232881\/revisions\/232883"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/232882"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=232881"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=232881"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=232881"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}