Haifei Li found that the attack is triggered as soon as a victim opens a specially crafted PDF file. One sample<\/a> identified on VirusTotal was named \u201c Once the file is open, it runs hidden, heavily obfuscated JavaScript code. This code hijacks two built-in software tools called Li further explained in a blog post<\/a> that this is just the first step because by collecting info and fingerprinting the computer, hackers can prepare for even worse actions. This includes Remote Code Execution<\/a> (RCE), which lets them run their own programmes on the victim’s machine, or a Sandbox Escape (SBX) to bypass built-in security barriers and take full control.<\/p>\n Dear security community\/researchers, I'd really like to call to look at this https:\/\/t.co\/BuvZtpBChe<\/a>, this information shows that the threat actors behind this Adobe Reader 0day attack was not just collecting local information but was really delivering additional exploits, need\u2026<\/p>\n — Haifei Li (@HaifeiLi) April 8, 2026<\/a><\/p><\/blockquote>\nInvoice540.pdf<\/code>,\u201d suggesting the attackers are using fake invoices as a lure. Li notes that the exploit is particularly dangerous because it runs on the latest version of Adobe Reader without requiring any additional user interaction.<\/p>\n![\"Adobe](\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/Active-0-day-flaw-in-Adobe-Reader-exploited-to-steal-data-since-2025.png\")
<\/a>APIs: util.readFileIntoStream<\/code>, which is normally used to handle files, and RSS.addFeed, which usually manages web updates. By abusing these, the hackers can secretly steal data from the computer and send it to a remote server at the address 169.40.2.68<\/code>.<\/p>\n\n