Months-old Adobe Reader zero-day uses PDFs to size up targets
(2026/04/09)
- Reference: 1775745013
- News link: https://www.theregister.co.uk/2026/04/09/monthsold_adobe_reader_zeroday_uses/
- Source link:
Hackers have been quietly exploiting what appears to be a zero-day in Adobe Acrobat Reader for months, using booby-trapped PDFs to profile targets and decide who's worth fully compromising.
Security researcher Haifei Li, founder of the sandbox-based exploit detection system EXPMON, [1]said the campaign uses a malicious PDF that runs as soon as it's opened, working against even up-to-date Reader installations with no clicks required beyond viewing the file.
The exploit leans on heavily obfuscated JavaScript that runs as soon as it's opened. Instead of blowing up straight away, it starts pulling information from the machine using built-in Acrobat APIs, including local files and system details, and sends it back to servers under the attacker's control.
[2]
The first pass is basically recon. It grabs OS info, language settings, and file paths to figure out what it's landed on. If the box looks useful, it pulls a second-stage payload and runs it inside Reader. Researchers say that stage could escalate things further, up to remote code execution or even a sandbox escape.
[3]
[4]
"Such a mechanism allows the threat actor to collect user information, steal local data, perform advanced 'fingerprinting', and launch future attacks," Li said. "If the target meets the attacker's conditions, the attacker may deliver additional exploit to achieve RCE or SBX."
In other words, not every victim gets the same treatment. Some systems are only profiled, while others receive a second-stage payload, which suggests a more targeted approach.
[5]Competition watchdog cracks knuckles, probes legality of Adobe cancellation fee
[6]Prince of PDFs, Adobe CEO Shantanu Narayen, to step down after 18 years
[7]Frightful Patch Tuesday gives admins a scare with 175+ Microsoft CVEs, 3 under attack
[8]Google takes Photoshop to the woodshed with new image AI
There are also early clues about who those targets might be. Another researcher, [9]Gi7w0rm , found that lure documents tied to the exploit contain Russian-language content referencing current events in the country's oil and gas sector. That doesn't prove attribution, but it does suggest the attackers had a specific audience in mind rather than casting a wide net.
What makes this whole thing more than just another PDF bug is how long it appears to have gone unnoticed. Li [10]pointed to a related sample uploaded to VirusTotal on November 28, 2025, suggesting the campaign had been active for at least four months before it was spotted. That puts activity back in late 2025, even though it only came to light in March.x
[11]
There's still no CVE, no patch, and Adobe hasn't said anything publicly or responded to The Register 's questions. That leaves users exposed for now, especially if they're in the habit of opening PDFs from unknown sources. ®
Get our [12]Tech Resources
[1] https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2adfNIlauqCGkYHY9ifLIlAAAANI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44adfNIlauqCGkYHY9ifLIlAAAANI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33adfNIlauqCGkYHY9ifLIlAAAANI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2026/03/19/competition_watchdog_cracks_knuckles_probes/
[6] https://www.theregister.com/2026/03/13/adobe_q1_2026/
[7] https://www.theregister.com/2025/10/14/microsoft_october_2025_patch_tuesday/
[8] https://www.theregister.com/2025/08/26/google_gemini_ai_images/
[9] https://x.com/Gi7w0rm/status/2042003381158379554
[10] https://x.com/HaifeiLi/status/2041967201918599664
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44adfNIlauqCGkYHY9ifLIlAAAANI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
Security researcher Haifei Li, founder of the sandbox-based exploit detection system EXPMON, [1]said the campaign uses a malicious PDF that runs as soon as it's opened, working against even up-to-date Reader installations with no clicks required beyond viewing the file.
The exploit leans on heavily obfuscated JavaScript that runs as soon as it's opened. Instead of blowing up straight away, it starts pulling information from the machine using built-in Acrobat APIs, including local files and system details, and sends it back to servers under the attacker's control.
[2]
The first pass is basically recon. It grabs OS info, language settings, and file paths to figure out what it's landed on. If the box looks useful, it pulls a second-stage payload and runs it inside Reader. Researchers say that stage could escalate things further, up to remote code execution or even a sandbox escape.
[3]
[4]
"Such a mechanism allows the threat actor to collect user information, steal local data, perform advanced 'fingerprinting', and launch future attacks," Li said. "If the target meets the attacker's conditions, the attacker may deliver additional exploit to achieve RCE or SBX."
In other words, not every victim gets the same treatment. Some systems are only profiled, while others receive a second-stage payload, which suggests a more targeted approach.
[5]Competition watchdog cracks knuckles, probes legality of Adobe cancellation fee
[6]Prince of PDFs, Adobe CEO Shantanu Narayen, to step down after 18 years
[7]Frightful Patch Tuesday gives admins a scare with 175+ Microsoft CVEs, 3 under attack
[8]Google takes Photoshop to the woodshed with new image AI
There are also early clues about who those targets might be. Another researcher, [9]Gi7w0rm , found that lure documents tied to the exploit contain Russian-language content referencing current events in the country's oil and gas sector. That doesn't prove attribution, but it does suggest the attackers had a specific audience in mind rather than casting a wide net.
What makes this whole thing more than just another PDF bug is how long it appears to have gone unnoticed. Li [10]pointed to a related sample uploaded to VirusTotal on November 28, 2025, suggesting the campaign had been active for at least four months before it was spotted. That puts activity back in late 2025, even though it only came to light in March.x
[11]
There's still no CVE, no patch, and Adobe hasn't said anything publicly or responded to The Register 's questions. That leaves users exposed for now, especially if they're in the habit of opening PDFs from unknown sources. ®
Get our [12]Tech Resources
[1] https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2adfNIlauqCGkYHY9ifLIlAAAANI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44adfNIlauqCGkYHY9ifLIlAAAANI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33adfNIlauqCGkYHY9ifLIlAAAANI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2026/03/19/competition_watchdog_cracks_knuckles_probes/
[6] https://www.theregister.com/2026/03/13/adobe_q1_2026/
[7] https://www.theregister.com/2025/10/14/microsoft_october_2025_patch_tuesday/
[8] https://www.theregister.com/2025/08/26/google_gemini_ai_images/
[9] https://x.com/Gi7w0rm/status/2042003381158379554
[10] https://x.com/HaifeiLi/status/2041967201918599664
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44adfNIlauqCGkYHY9ifLIlAAAANI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
Re: JavaScript in PDFs?
sgb
I have always disabled javascript in Adobe Reader as soon as it is installed, but Adobe is one of those companies that corrects you when it discovers that you have made a choice.
even though it only came to light in March.x
DaveK23
That's a little forward of you!
What about non Adobe PDF readers ?
alain williams
Eg [1]atril , or [2]Foxit ?
[1] https://en.wikipedia.org/wiki/Atril#Component_applications
[2] https://en.wikipedia.org/wiki/Foxit_PDF_Reader
Re: What about non Adobe PDF readers ?
My other car WAS an IAV Stryker
I had the same question. Is this vulnerability exclusive to Adobe or an issue with the PDF standard itself?
(I'm using PDF-XChange exclusively at work (full license paid by employer), and both that (free version) and Evince for non-work stuff. I try to avoid Adobe.)
PDFs from unknown sources
Rory B Bellows
Shirley an effective campaign would also rely on sending dodgy PDFs to the contacts of an already compromised system. These days even the most novice users tend to be more weary of the unknown sources and often receive training about that very scenario.
Emails from day to day suppliers, colleagues, departments - those are more likely to be clicked without as much scrutiny.
JavaScript in PDFs?
Nice security black hole! Why do we keep doing stupid things like this? I know that JS is used for validation and steering in PDF forms, but wasn't there a better way of enabling that functionality without putting full JS in there?
If you're running Firefox and don't use PDF forms, setting pdfjs.enableScripting to false might be a smart idea, even if Firefox isn't subject to this particular fault.