THREAT researchers have been exploiting a previously unknown zero-day vulnerability in Adobe Reader via malicious PDFs since December 2025, with EXPMON's Haifei Li detailing a highly sophisticated PDF exploit. The first artifact, named "Invoice540[.]pdf", appeared on VirusTotal on 28 November 2025, and a second sample was uploaded on 23 March 2026.
The PDFs are believed to employ social engineering to coax users into opening them in Adobe Reader, where obfuscated JavaScript is used to harvest data and fetch additional payloads. According to Haifei Li, the sample can collect and leak various types of information and may enable remote code execution and sandbox escape exploits, abusing a zero-day/unpatched vulnerability that allows privileged Acrobat APIs to run.
The operation exfiltrates data to a remote server at 169.40.2[.]68:45191 and can deliver further JavaScript to be executed, potentially enabling follow-on activity and more extensive compromises; security researchers have flagged the zero-day as a reason for heightened alert, with social‑engineering cues including Russian-language lures related to current oil and gas industry events in Russia.