.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
On April 7, 2026, a security researcher described an Adobe Reader zero-day vulnerability that has been exploited since at least December 2025. The vulnerability allows threat actors to execute privileged Acrobat APIs via specially crafted malicious PDF files that execute obfuscated JavaScript when opened. Exploitation allows attackers to steal sensitive user and system data and to potentially launch additional attacks and remotely execute code.
Another security researcher noted that the Russian-language lures relate to the Russian oil and gas sector. These details suggest that the attacks are targeted rather than opportunistic.
Recommended actions
Counter Threat Unit™ (CTU) researchers recommend that organizations monitor for an official Adobe patch and update systems as appropriate when available. In the meantime, organizations can reduce the risk by automatically scanning PDF email attachments, blocking suspicious files, training users to be wary of unsolicited attachments, and advising users to temporarily avoid using Adobe Reader to open PDFs.
Protections and threat indicators
The following Sophos protections relate to this threat:
- Troj/PDF‑BG
- Malware/Callhome
The threat indicators in Table 1 can be used to detect activity related to this threat. Note that IP addresses can be reallocated. The domain and IP addresses may contain malicious content, so consider the risks before opening them in a browser.
| Indicator | Type | Context |
| 1929da3ef904efb8c940679045452321 | MD5 hash | Malicious PDF sample in Adobe Reader attacks (yummy_adobe_exploit_uwu.pdf) |
| 7f3c6f97612dd0a018797f99fad4df754e5feb35 | SHA1 hash | Malicious PDF sample in Adobe Reader attacks (yummy_adobe_exploit_uwu.pdf) |
| 65dca34b04416f9a113f09718cbe51e11fd58e7287b7863e37f393ed4d25dde7 | SHA256 hash | Malicious PDF sample in Adobe Reader attacks (yummy_adobe_exploit_uwu.pdf) |
| 522cda0c18b410daa033dc66c48eb75a | MD5 hash | Malicious PDF lure in Adobe Reader attacks (Invoice540.pdf) |
| dafd571da1df72fb53bcd250e8b901103b51d6e4 | SHA1 hash | Malicious PDF lure in Adobe Reader attacks (Invoice540.pdf) |
| 54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f | SHA256 hash | Malicious PDF lure in Adobe Reader attacks (Invoice540.pdf) |
| ado-read-parser[.]com | Domain name | C2 server in Adobe Reader attacks |
| 169[.]40[.]2[.]68:45191 | IP address:port | C2 server in Adobe Reader attacks |
| 188[.]214[.]34[.]20:34123 | IP address:port | C2 server in Adobe Reader attacks |
| Adobe Synchronizer | User-Agent | Associated with Adobe Reader attacks |
Table 1: Indicators for this threat
References
https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html
https://x.com/Gi7w0rm/status/2042003381158379554
https://thehackernews.com/2026/03/adobe-reader-zero-day-targeted-attacks.html
https://www.theregister.com/2026/04/09/monthsold_adobe_reader_zeroday_uses/
https://www.securityweek.com/adobe-reader-zero-day-exploited-for-months-researcher/
https://thecyberexpress.com/zero-day-fingerprinting-attack-on-adobe-reader/