Unpatched Adobe Reader Zero-Day Exploited for Months via Weaponized PDFs Targeting Energy and Government Sectors
A zero-day vulnerability in Adobe Reader has been under active exploitation since at least late November 2025, and Adobe still hasn't released a patch [1][4]. The flaw requires nothing more than opening a PDF. No clicks, no macros, no additional prompts. Attackers are using it to fingerprint victim systems, steal local files, and potentially stage follow-on payloads including remote code execution and sandbox escapes [3][6]. The campaign appears to target Russian-speaking organizations in the energy and government sectors, using decoy documents referencing gas supply disruptions and emergency response protocols [4].
Security researcher Haifei Li, founder of the EXPMON sandbox-based exploit detection platform, identified the exploit after a sample was submitted to the platform on March 26, 2026 [6]. A second variant was flagged by researcher Greg Lesnewich on April 8 [8]. The earliest known sample dates to November 28, 2025, based on VirusTotal upload timestamps [2][3]. That means this vulnerability has been exploitable in the wild for over four months with zero vendor remediation.
Background: The EXPMON Discovery
EXPMON is a detection platform built around behavioral analytics for exploit identification. Traditional antivirus products initially failed to flag the malicious PDFs, which posted low detection rates on VirusTotal [5]. EXPMON caught the sample because of suspicious JavaScript engine activity triggered immediately upon document open [5].
Haifei Li confirmed the vulnerability works on the latest version of Adobe Reader at the time of discovery [1]. He stated: "This 'fingerprinting' exploit has been confirmed to leverage a zero-day/unpatched vulnerability that works on the latest version of Adobe Reader without requiring any user interaction beyond opening a PDF file" [1]. Adobe was notified but has issued no patch, no advisory, and no public acknowledgment as of April 9, 2026 [1][5].
Campaign Targeting and Lure Content
Researcher Giuseppe Massaro analyzed recovered samples and found Russian-language documents used as visual decoys [4]. The content references gas supply disruptions and emergency response topics, pointing toward targets in Russia's government administration or energy infrastructure sectors [4]. At least one sample used the filename Invoice540.pdf, a social engineering choice designed to blend into routine business communications [1].
Two distinct attack variants have been identified, each using separate command-and-control infrastructure [7]. The campaign uses purpose-built infrastructure with zero prior detections, suggesting careful operational planning rather than opportunistic reuse of commodity tooling [7].
JavaScript Execution on Document Open
The malicious PDFs embed heavily obfuscated JavaScript within PDF form objects [2]. This JavaScript executes automatically the moment a victim opens the file. No interaction beyond opening is required [1][3]. The obfuscation is dense enough to defeat static analysis by most AV engines at the time of initial discovery [5].
Privileged API Abuse
The exploit abuses two privileged Acrobat APIs that are not normally accessible to standard PDF JavaScript:
util.readFileIntoStream(): Used to read local files from the victim's system. Li demonstrated that the exploit could successfully read a.pngfile from thesystem32directory [6]. The exploit also targets system files includingntdll.dllandbootsvc.dllfor OS version fingerprinting and data extraction [6].RSS.addFeed(): Abused to establish outbound communications with attacker-controlled servers [1].
These APIs bypass Adobe's standard JavaScript security restrictions, giving the exploit direct access to local file system operations and network communication channels.
System Fingerprinting
Once running, the JavaScript collects a comprehensive fingerprint of the target system [2][8]:
- Operating system version
- Adobe Reader version
- Language and locale settings
- Local file paths
- System file contents for version identification
Li noted: "Such a mechanism allows the threat actor to collect user information, steal local data, perform advanced 'fingerprinting', and launch future attacks" [2].
C2 Communication
Exfiltrated data is sent to attacker-controlled servers over HTTP using a distinctive User-Agent string: Mozilla/3.0 (compatible; Adobe Synchronizer 23.8.20533) [7][8]. Two C2 servers have been identified across the two variants. The first variant communicates with 169.40.2.68 on port 45191, while the second uses 188.214.34.20 on port 34123 [4][7]. The process AdobeCollabSync.exe is abused to handle outbound network connections, making the traffic appear to originate from a legitimate Adobe component [7].
Server-Side Filtering and Second-Stage Capability
Researchers have not observed delivery of second-stage payloads in the wild [2][3]. This absence is deliberate. The attackers appear to use server-side victim filtering, selectively deploying further exploits only against targets that match specific criteria derived from the fingerprinting data [7]. Li confirmed that "the remote server has the capability to deliver and launch subsequent RCE or SBX exploits" [6]. The fingerprinting-first approach minimizes exposure of the attacker's more valuable capabilities.
Indicators of Compromise
| Type | Value | Context | Source |
|---|---|---|---|
| IP | 169.40.2.68 |
Primary C2 server (Variant 1) | [1] |
| IP | 188.214.34.20 |
C2 server (Variant 2) | [4] |
| URL | http://169.40.2.68:45191/rs1 |
C2 endpoint for data exfiltration | [7] |
| URL | http://188.214.34.20:34123/rs1 |
C2 endpoint for initial communication | [7] |
| URL | http://188.214.34.20:34123/s11 |
C2 endpoint for fingerprint data | [7] |
| Domain | ado-read-parser.com |
C2 domain | [7] |
| Filename | Invoice540.pdf |
Malicious PDF lure | [1] |
| Filename | AdobeCollabSync.exe |
Adobe process abused for C2 comms | [7] |
MITRE ATT&CK Mapping
| Technique ID | Name | Relevance |
|---|---|---|
| T1566.001 | Phishing: Spearphishing Attachment | Malicious PDFs delivered as email attachments with invoice-themed lures [1][3] |
| T1203 | Exploitation for Client Execution | Zero-day exploitation of Adobe Reader upon document open [1][6] |
| T1082 | System Information Discovery | Collection of OS version, Reader version, language settings [2][8] |
| T1083 | File and Directory Discovery | Enumeration and reading of local file paths and system files [6] |
| T1005 | Data from Local System | Reading of local files via util.readFileIntoStream() [6] |
| T1071.001 | Application Layer Protocol: Web Protocols | HTTP-based C2 using custom User-Agent [7][8] |
| T1041 | Exfiltration Over C2 Channel | Fingerprint data sent directly to C2 servers [7] |
| T1033 | System Owner/User Discovery | User and system identification as part of fingerprinting [2] |
Detection and Hunting
Network-Based Detection:
The most reliable network indicator is the Adobe Synchronizer User-Agent string in HTTP traffic [8]. This is not a standard Adobe component string and should not appear in normal enterprise traffic. A Splunk-style query:
index=proxy OR index=web user_agent="*Adobe Synchronizer*"Monitor for outbound connections from AdobeCollabSync.exe to external IPs, particularly on non-standard ports like 45191 and 34123 [7]. This process should not normally initiate external network connections.
Endpoint-Based Detection:
Look for Adobe Reader spawning JavaScript execution that accesses util.readFileIntoStream() or RSS.addFeed() API calls. EDR platforms that hook into the Acrobat JavaScript engine can flag these. Specifically, watch for:
AcroRd32.exeorAcrobat.exereading files fromC:\Windows\System32\(particularlyntdll.dll,bootsvc.dll) outside of normal update operations [6]- PDF files with embedded JavaScript form objects that trigger network connections upon open
AdobeCollabSync.exeestablishing connections to non-Adobe IP ranges
Email Gateway:
Sandbox detonation of PDF attachments is critical here because static analysis largely missed these samples [5]. Ensure your email security solution opens PDFs in an instrumented sandbox that monitors JavaScript execution and network callbacks, not just signature-based detection.
Analysis
This campaign is a textbook example of a reconnaissance-first exploitation model. The operators invested in a zero-day not to immediately compromise systems, but to build a target database. The server-side filtering means that high-value payloads (RCE, sandbox escape) are reserved for targets that meet specific criteria [7]. This operational discipline is consistent with state-sponsored or advanced criminal groups that prioritize long-term access over rapid monetization.
The targeting profile supports this assessment. Russian-language lures referencing energy infrastructure and government emergency response aren't consistent with financially motivated cybercrime [4]. The purpose-built C2 infrastructure with zero prior detections further distinguishes this from commodity operations [7].
Adobe's silence is concerning. Over four months of active exploitation with no patch, no advisory, and no workaround guidance from the vendor leaves every organization running Adobe Reader exposed. The latest version is vulnerable [1]. There is no safe configuration within the application itself.
Red Sheep Assessment
Confidence: Moderate-High
The sources collectively paint a picture that goes beyond opportunistic exploitation. Two distinct variants with separate C2 infrastructure, server-side victim filtering, and energy/government targeting in Russian-language lures suggest a well-resourced operation with specific intelligence collection objectives. The absence of observed second-stage payloads doesn't mean they don't exist. It means the operators are disciplined enough to withhold them from security researchers and sandbox environments.
The four-month exploitation window before public disclosure is troubling but not unusual for this class of threat actor. What stands out is the choice of attack surface. PDF-based zero-days targeting Adobe Reader have historically been associated with state-level operations (APT28, APT32, and others have used PDF exploits in past campaigns). The Russian-language targeting content could indicate a domestic Russian threat actor collecting against internal entities, or a non-Russian actor using Russian lures to target organizations that would find such documents routine.
A contrarian read: the Invoice540.pdf filename and the submission of a sample named yummy_adobe_exploit_uwu.pdf to EXPMON [4] could suggest that at least some samples are researcher-generated test cases rather than operational attack tools. However, the November 2025 VirusTotal timestamps and the confirmed C2 infrastructure make a purely academic origin unlikely.
Adobe's failure to patch after months of notification is the most actionable concern. Organizations cannot wait for vendor remediation. The defensive measures below should be treated as immediate priorities.
Defender's Checklist
- ▢[ ] Block outbound traffic to
169.40.2.68:45191,188.214.34.20:34123, andado-read-parser.comat network perimeter firewalls and proxy servers [4][7] - ▢[ ] Deploy network detection for HTTP User-Agent strings containing
Adobe Synchronizerusing query:user_agent="Adobe Synchronizer"across proxy and web traffic logs [8] - ▢[ ] Hunt for
AdobeCollabSync.exemaking external network connections in EDR telemetry; this process should not connect to non-Adobe IP ranges [7] - ▢[ ] Configure email security gateways to sandbox-detonate all PDF attachments with JavaScript execution monitoring enabled, as static AV missed initial samples [5]
- ▢[ ] Evaluate deploying alternative PDF readers (Foxit, SumatraPDF, browser-native viewers) for high-risk user populations until Adobe issues a patch [1]
References
- Hackers exploiting Acrobat Reader zero-day flaw since December
- Old Adobe Reader zero-day uses PDFs to size up targets - The Register
- Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025
- Acrobat Reader zero-day exploited in the wild for many months - Help Net Security
- Hackers Actively Attacking Adobe Reader Users Using Sophisticated 0-Day Exploit
- EXPMON detected sophisticated zero-day fingerprinting attack targeting Adobe Reader users
- Adobe Reader Zero-Day PDF Exploit - Full Forensic Analysis
- Hackers are exploiting Adobe Reader zero-day flaw to steal data
Visual Intelligence
Timeline (5 events)
Entity Graph (5 entities, 1 relationships)
Diamond Model
---
Hunt Guide: Hunt Report: Adobe Reader Zero-Day Fingerprinting Campaign
Hypothesis: If threat actors are exploiting the Adobe Reader zero-day vulnerability in our environment, we expect to observe malicious PDF documents executing JavaScript, AdobeCollabSync.exe making outbound connections to 169.40.2.68:45191, and Adobe Synchronizer user-agent strings in proxy logs.
Intelligence Summary: A zero-day vulnerability in Adobe Reader is being actively exploited through weaponized PDF documents to perform system fingerprinting and collect device information. The exploit uses privileged Acrobat APIs (util.readFileIntoStream() and RSS.addFeed()) to bypass security controls and communicate with attacker infrastructure at 169.40.2.68:45191.
Confidence: High | Priority: Critical
Scope
- Networks: All enterprise networks with Adobe Reader installations, prioritize high-value targets and users with access to sensitive data
- Timeframe: November 2025 to present (based on earliest known samples), focus on last 90 days for initial sweep
- Priority Systems: C-suite workstations, finance/accounting systems, HR systems processing PDFs, external-facing document processing services
MITRE ATT&CK Techniques
T1059.007 — JavaScript (Execution) [P1]
Malicious JavaScript embedded in PDF form objects executes to collect system fingerprinting data and communicate with C2 infrastructure
Splunk SPL:
index=* (sourcetype=WinEventLog:Security EventCode=4688 OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1) (Image="*\\AcroRd32.exe" OR Image="*\\Acrobat.exe" OR Image="*\\AdobeCollabSync.exe") | stats count by ComputerName Image CommandLine | where count > 5Elastic KQL:
(event.code:4688 OR event.code:1) AND (process.executable:*\\AcroRd32.exe OR process.executable:*\\Acrobat.exe OR process.executable:*\\AdobeCollabSync.exe)Sigma Rule:
title: Adobe Reader Zero-Day Exploitation Activity
id: 8b4f9e2a-1c3d-4f5e-9a2b-3c4d5e6f7a8b
status: experimental
author: RedSheep Security/Stone
date: 2026/04/07
description: Detects potential exploitation of Adobe Reader zero-day through suspicious process activity
references:
- https://example.com/adobe-zero-day-report
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\AcroRd32.exe'
- '\Acrobat.exe'
- '\AdobeCollabSync.exe'
filter:
CommandLine|contains:
- 'Adobe Synchronizer'
condition: selection and not filter
falsepositives:
- Legitimate Adobe Reader updates
level: high
tags:
- attack.execution
- attack.t1059.007Monitor for rapid successive Adobe process launches which may indicate automated exploitation. Baseline normal Adobe Reader behavior in your environment.
T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P1]
The exploit communicates with C2 infrastructure at 169.40.2.68:45191 using HTTP/HTTPS with 'Adobe Synchronizer' user-agent
Splunk SPL:
index=proxy (dest_ip=169.40.2.68 AND dest_port=45191) OR http_user_agent="*Adobe Synchronizer*" | table _time src_ip dest_ip dest_port http_user_agent url bytes_outElastic KQL:
(destination.ip:169.40.2.68 AND destination.port:45191) OR user_agent.original:*Adobe\ Synchronizer*Sigma Rule:
title: Adobe Reader Zero-Day C2 Communication
id: 7a3f8e9b-2d4c-5e6f-8b1a-9c2d4e5f6a7b
status: experimental
author: RedSheep Security/Stone
date: 2026/04/07
description: Detects network communication patterns associated with Adobe Reader zero-day exploitation
logsource:
category: proxy
detection:
selection1:
dst_ip: '169.40.2.68'
dst_port: 45191
selection2:
useragent|contains: 'Adobe Synchronizer'
condition: selection1 or selection2
falsepositives:
- None expected
level: critical
tags:
- attack.command_and_control
- attack.t1071.001This is a high-confidence IOC. Any connections to 169.40.2.68:45191 should be immediately investigated and blocked.
T1082 — System Information Discovery (Discovery) [P2]
The malware collects OS version, language settings, Adobe Reader version, and local file paths for system fingerprinting
Splunk SPL:
index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=10 SourceImage="*\\AcroRd32.exe" TargetImage="*\\lsass.exe" | stats count by ComputerName SourceImage TargetImage CallTraceElastic KQL:
event.code:10 AND process.name:AcroRd32.exe AND winlog.event_data.TargetImage:*\\lsass.exeLook for Adobe Reader processes accessing system information files or making WMI queries. May generate false positives during legitimate PDF operations.
T1566.001 — Phishing: Spearphishing Attachment (Initial Access) [P2]
Weaponized PDF documents with Russian-language lures targeting oil and gas industry are delivered via email
Splunk SPL:
index=email (attachment_name="*.pdf" AND (attachment_name="*Invoice*" OR body="*oil*" OR body="*gas*" OR body="*нефт*" OR body="*газ*")) | eval attachment_hash=lower(attachment_hash) | table _time sender recipient subject attachment_name attachment_hash attachment_sizeElastic KQL:
email.attachments.file.name:*.pdf AND (email.attachments.file.name:*Invoice* OR email.body:*oil* OR email.body:*gas* OR email.body:*нефт* OR email.body:*газ*)Focus on PDFs with Russian language content or oil/gas industry references. Cross-reference with known malicious hashes.
T1055 — Process Injection (Defense Evasion) [P3]
The exploit has sandbox escape capabilities suggesting potential process injection or privilege escalation
Splunk SPL:
index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=8 SourceImage="*\\AcroRd32.exe" | stats count by ComputerName SourceImage TargetImage StartModule StartFunctionElastic KQL:
event.code:8 AND process.name:AcroRd32.exeMonitor for Adobe Reader creating remote threads in other processes. This may indicate sandbox escape attempts.
Indicators of Compromise
| Type | Value | Context |
|---|---|---|
| ip | 169.40.2.68 |
Command and control server for Adobe Reader zero-day exploit, receives fingerprinting data on port 45191 |
| filename | Invoice540.pdf |
Known malicious PDF filename used in Russian-language campaign targeting oil and gas industry |
| filename | AdobeCollabSync.exe |
Adobe process abused by the exploit to make external network connections |
| url | Adobe Synchronizer |
User-Agent string used in HTTP/HTTPS communications with attacker infrastructure |
IOC Sweep Queries (Splunk):
index=* (dest_ip=169.40.2.68 OR dest=169.40.2.68 OR dst=169.40.2.68 OR destination=169.40.2.68) | table _time src_ip dest_ip dest_port action bytes_in bytes_outindex=* (filename="Invoice540.pdf" OR file="Invoice540.pdf" OR attachment_name="Invoice540.pdf" OR process_name="Invoice540.pdf") | table _time host user filename file_path hash actionindex=* (process_name="AdobeCollabSync.exe" OR Image="*\\AdobeCollabSync.exe" OR FileName="AdobeCollabSync.exe") EventCode=3 | table _time ComputerName DestinationIp DestinationPortindex=* (http_user_agent="*Adobe Synchronizer*" OR useragent="*Adobe Synchronizer*" OR cs_user_agent="*Adobe Synchronizer*") | table _time src_ip dest_ip url http_method status_codeYARA Rules
Adobe_ZeroDay_PDF_Exploit_2026 — Detects PDF files with embedded JavaScript matching Adobe zero-day exploitation patterns
rule Adobe_ZeroDay_PDF_Exploit_2026 {
meta:
description = "Detects PDF files with embedded JavaScript exploiting Adobe Reader zero-day"
author = "RedSheep Security/Stone"
date = "2026-04-07"
threat_level = "critical"
reference = "Adobe Reader Zero-Day Campaign March 2026"
strings:
$pdf_header = "%PDF-"
$js_obj1 = "/JS" nocase
$js_obj2 = "/JavaScript" nocase
$api1 = "util.readFileIntoStream" nocase
$api2 = "RSS.addFeed" nocase
$api3 = "AdobeCollabSync" nocase
$obfusc1 = /\/[A-Za-z0-9]{100,}/
$rus1 = {D0 BD D0 B5 D1 84 D1 82} // нефт (oil in Cyrillic)
$rus2 = {D0 B3 D0 B0 D0 B7} // газ (gas in Cyrillic)
$invoice = "Invoice540" nocase
condition:
$pdf_header at 0 and
(($js_obj1 or $js_obj2) and ($api1 or $api2 or $api3)) or
($obfusc1 and any of ($rus*, $invoice))
}Suricata Rules
SID 2045001 — Adobe Reader Zero-Day C2 Communication to 169.40.2.68
alert tcp $HOME_NET any -> 169.40.2.68 45191 (msg:"ET TROJAN Adobe Reader Zero-Day C2 Communication"; flow:established,to_server; content:"Adobe Synchronizer"; http_user_agent; reference:url,example.com/adobe-zero-day; classtype:trojan-activity; sid:2045001; rev:1;)SID 2045002 — Adobe Reader Zero-Day HTTP User-Agent Detection
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Adobe Reader Zero-Day Suspicious User-Agent"; flow:established,to_server; content:"Adobe Synchronizer"; http_user_agent; depth:20; reference:url,example.com/adobe-zero-day; classtype:trojan-activity; sid:2045002; rev:1;)Data Source Requirements
| Source | Required For | Notes |
|---|---|---|
| Sysmon | T1059.007, T1082, T1055 | EventID 1 (process creation), EventID 3 (network connection), EventID 8 (CreateRemoteThread), EventID 10 (process access) |
| Windows Security | T1059.007 | EventID 4688 (process creation) with command line auditing enabled |
| Proxy/Web Gateway | T1071.001 | HTTP/HTTPS logs with User-Agent string capture required |
| Email Security | T1566.001 | Email gateway logs with attachment analysis and hash extraction |
| DNS Logs | T1071.001 | DNS query logs for potential domain-based C2 |
| EDR | T1059.007, T1082, T1055 | Process behavior monitoring and file activity tracking |