Full Report
Malicious PDFs abuse legit features to harvest system data and decide which victims get a 2nd-stage payload Hackers have been quietly exploiting what appears to be a zero-day in Adobe Acrobat Reader for months, using booby-trapped PDFs to profile targets and decide who's worth fully compromising.…
Analysis Summary
# Vulnerability: Adobe Acrobat Reader Fingerprinting and Multi-Stage PDF Exploit
## CVE Details
- **CVE ID:** Pending (Zero-Day at time of reporting)
- **CVSS Score:** N/A (Estimated High/Critical if RCE/SBX achieved)
- **CWE:** CWE-693 (Protection Mechanism Failure), CWE-200 (Information Exposure)
## Affected Systems
- **Products:** Adobe Acrobat Reader
- **Versions:** All versions up to at least April 2026 (confirmed working on "up-to-date" installations).
- **Configurations:** Default installations where JavaScript execution in PDFs is enabled.
## Vulnerability Description
The vulnerability involves the exploitation of built-in Acrobat APIs through heavily obfuscated JavaScript embedded within PDF documents. Upon opening the file, the script executes automatically without user interaction ("no clicks required").
The flaw allows for a multi-stage attack:
1. **Reconnaissance/Fingerprinting:** The script uses legitimate but abused features to harvest OS info, language settings, and local file paths.
2. **Conditional Execution:** The gathered data is exfiltrated to an attacker-controlled server. If the victim's profile meets specific criteria, the server delivers a second-stage payload.
3. **Advanced Exploitation:** Potential for Remote Code Execution (RCE) and Sandbox Escape (SBX) during the second stage.
## Exploitation
- **Status:** Exploited in the wild (active since at least November 2025).
- **Complexity:** Low (No user interaction beyond opening the file).
- **Attack Vector:** Network (via malicious PDF delivery, e.g., email or web download).
## Impact
- **Confidentiality:** High (Stays local files, system metadata, and fingerprints the environment).
- **Integrity:** High (Potential for RCE and further system compromise via second-stage payloads).
- **Availability:** High (Potential for full system takeover).
## Remediation
### Patches
- **None Currently Available:** Adobe has not yet released a patch or official advisory for this specific zero-day.
### Workarounds
- **Disable JavaScript in Adobe Reader:** Go to `Edit > Preferences > JavaScript` and uncheck "Enable Acrobat JavaScript."
- **Use Alternative Viewers:** Utilize browser-based PDF viewers or hardened PDF readers that do not support complex JavaScript/API execution.
- **Enhanced Sandboxing:** Ensure Protected Mode is enabled, though researchers suggest this zero-day may aim for sandbox escapes.
## Detection
- **Indicators of Compromise:**
- Network traffic to unrecognized external servers immediately after opening a PDF.
- PDF files containing heavily obfuscated JavaScript blocks.
- Files uploaded to VirusTotal as early as Nov 28, 2025, linked to this activity.
- **Detection Methods and Tools:**
- **EXPMON:** Sandbox-based detection systems have flagged this behavior.
- **EDR/SIEM:** Monitor for `AcroRd32.exe` or `Acrobat.exe` attempting to access sensitive local file paths or initiating unusual outbound network connections.
- **Lure Content:** Be wary of documents referencing the Russian oil and gas sector, as these have been identified as specific lures.
## References
- **Vendor Advisories:** None at this time.
- **Relevant Links:**
- hxxps[://]justhaifei1[.]blogspot[.]com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html
- hxxps[://]x[.]com/Gi7w0rm/status/2042003381158379554
- hxxps[://]x[.]com/HaifeiLi/status/2041967201918599664