A critical security vulnerability in Adobe Reader is being actively exploited by cybercriminals through a sophisticated and evolving phishing campaign. The attack relies on social engineering techniques, where victims receive emails containing malicious PDF attachments disguised as legitimate documents, such as invoices or corporate reports. Once opened in Adobe Reader, the file executes hidden JavaScript code that exploits the unpatched flaw, granting attackers access to privileged areas of the victim’s system.
In the initial stage of the attack, the malware collects sensitive data from the infected computer and transmits it to remote command-and-control servers. It also builds a detailed profile of the compromised machine, likely to determine its suitability for further exploitation. Despite these capabilities, the ultimate objective of the attack remains unclear. Researchers suggest a possible second phase that could involve remote control of the device and advanced evasion of security systems, although this has not yet been confirmed in real-world scenarios.
During analysis, researchers observed that the command servers did not deliver additional malicious payloads, indicating that the full attack may depend on very specific network or environmental conditions. This selective activation suggests a targeted approach rather than indiscriminate mass infection.
The campaign has been primarily identified in emails written in Russian, hinting at an initial geographic focus. However, the vulnerability itself affects Adobe Reader users globally. As no official security patch has been released by Adobe, all users remain at risk regardless of location.
Security experts emphasize the need for extreme caution. Recommended measures include avoiding opening suspicious email attachments and, in some cases, uninstalling the software until a fix becomes available. The threat is further amplified by the growing use of artificial intelligence tools, which enable attackers to craft highly convincing phishing messages.
The vulnerability has reportedly been exploited for several months. It was first identified by researcher Haifei Li from EXPMON, who discovered the malicious files on VirusTotal in late November.
Filed in . Read more about Adobe, Cybersecurity, Pdf and Security.