Security researchers have uncovered an active zero-day exploit targeting **Adobe Reader**, utilizing specially crafted PDF files. The exploit, flagged by **EXPMON**'s Haifei Li, is described as a sophisticated attack leveraging a previously unknown vulnerability. ### Discovery and Analysis The malicious artifact, named "Invoice540.pdf," was first observed on **VirusTotal** on November 28, 2025. A second sample appeared on March 23, 2026. The filename suggests a social engineering component, enticing users to open the files. Upon execution, the PDF triggers obfuscated JavaScript code designed to collect sensitive information and download additional payloads. ### Targeting and Techniques Security researcher Gi7w0rm noted that the PDF documents contain lures in Russian, referencing current events related to the oil and gas industry in Russia. This suggests a targeted campaign. According to Li, the exploit acts as an initial entry point, capable of collecting and leaking diverse data types, potentially leading to Remote Code Execution (RCE) and Sandbox Escape (SBX) exploits. "The sample acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits," Li said. ### Technical Details The vulnerability allows the execution of privileged Acrobat APIs, even on the latest version of **Adobe Reader**. The exploit also includes functionality to exfiltrate collected data to a remote server (169.40.2[.]68:45191) and receive additional JavaScript code for execution. This mechanism could enable advanced fingerprinting attacks and pave the way for further exploitation, including delivering additional exploits to achieve code execution or sandbox escape. The exact nature of the next-stage exploit remains unclear, as the remote server did not respond during analysis. This could indicate that the testing environment didn't meet the criteria for payload delivery. ### Call to Action "Nevertheless, this zero-day/unpatched capability for broad information harvesting and the potential for subsequent RCE/SBX exploitation is enough for the security community to remain on high alert," Li said. ### Update **Adobe** has released security updates for the vulnerability (**CVE-2026-34621**, CVSS score: 9.6). Please [check here for more details](https://thehackernews.com/2026/04/adobe-patches-actively-exploited.html).