According to Security Affairs, hackers have been exploiting a zero-day vulnerability in Adobe Reader for an extended period, delivering sophisticated PDF exploits. Cybersecurity researcher Haifei Li discovered a malicious PDF that prompted a call for community analysis due to its unpatched and actively abused nature.
The exploit, identified by Li's EXPMON system on March 26, leverages an Adobe Reader JavaScript engine flaw. Documents associated with the campaign contain Russian language lures, referencing current events in Russia's oil and gas industry. The exploit functions as an initial payload, using privileged APIs like "util.readFileIntoStream()" to access and exfiltrate local files. It then calls "RSS.addFeed()" to send stolen data to a remote server, potentially for further malicious actions such as remote code execution or sandbox escape.
A variant found on April 8, 2025, suggests the campaign has been active for months, with analysis indicating the attackers may have specific criteria for launching secondary exploits.
Source: Security Affairs
The exploit, identified by Li's EXPMON system on March 26, leverages an Adobe Reader JavaScript engine flaw. Documents associated with the campaign contain Russian language lures, referencing current events in Russia's oil and gas industry. The exploit functions as an initial payload, using privileged APIs like "util.readFileIntoStream()" to access and exfiltrate local files. It then calls "RSS.addFeed()" to send stolen data to a remote server, potentially for further malicious actions such as remote code execution or sandbox escape.
A variant found on April 8, 2025, suggests the campaign has been active for months, with analysis indicating the attackers may have specific criteria for launching secondary exploits.
Source: Security Affairs




