Adobe Reader zero-day vulnerability in active exploitation
A zero-day vulnerability in Adobe Reader is being actively exploited in targeted attacks against the Russian oil and gas sector. Threat actors are utilizing malicious PDF files embedded with obfuscated JavaScript to execute privileged APIs, enabling sensitive data theft and potential remote code execution.
Authors: Sophos Counter Threat Unit Research Team
Source:
Sophos
- domainado-read-parser[.]comCommand and Control (C2) server used in Adobe Reader attacks
- sha25654077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377fMalicious PDF lure (Invoice540.pdf) exploiting the zero-day
- sha25665dca34b04416f9a113f09718cbe51e11fd58e7287b7863e37f393ed4d25dde7Malicious PDF sample (yummy_adobe_exploit_uwu.pdf) exploiting the zero-day
Key Takeaways
- An unpatched Adobe Reader zero-day vulnerability has been actively exploited in the wild since December 2025.
- The exploit leverages malicious PDF files containing obfuscated JavaScript to execute privileged Acrobat APIs.
- Attacks appear highly targeted, utilizing Russian-language lures focused on the Russian oil and gas sector.
- Successful exploitation enables threat actors to steal sensitive data and potentially achieve remote code execution (RCE).
- Organizations are advised to temporarily avoid using Adobe Reader for PDFs until an official patch is released.
Affected Systems
- Adobe Reader
Vulnerabilities (CVEs)
- Unassigned Zero-Day
Attack Chain
The attack begins with the delivery of a malicious PDF file, often utilizing Russian-language lures related to the oil and gas sector. When the victim opens the file in Adobe Reader, obfuscated JavaScript embedded within the PDF executes, triggering a zero-day vulnerability that allows the execution of privileged Acrobat APIs. This exploitation facilitates the theft of sensitive user and system data, establishes communication with external C2 servers using the 'Adobe Synchronizer' User-Agent, and potentially allows the threat actor to achieve remote code execution.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Sophos
Sophos provides endpoint protection signatures (Troj/PDF-BG, Malware/Callhome) for this threat, but no raw detection rules or queries are provided in the article.
Detection Engineering Assessment
EDR Visibility: Medium — EDR solutions can detect post-exploitation activity such as anomalous child processes spawned by Adobe Reader, but the initial JavaScript execution and API abuse within the PDF parser may lack direct visibility. Network Visibility: High — The threat relies on specific C2 IP addresses, domains, and a distinct User-Agent ('Adobe Synchronizer') which are highly visible in network and proxy telemetry. Detection Difficulty: Moderate — Detecting the zero-day exploit itself is difficult without specific signatures, but the resulting network connections and potential child processes spawned by Adobe Reader are standard, detectable behavioral indicators.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- Network Connections (Sysmon 3 / Firewall logs)
- Web Proxy Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for Adobe Reader processes making unexpected outbound network connections, particularly using the 'Adobe Synchronizer' User-Agent to non-Adobe infrastructure. | Network logs, Proxy logs, EDR network events | Command and Control | Medium |
| Identify Adobe Reader executables (e.g., Acrobat.exe or AcroRd32.exe) spawning unusual child processes such as cmd.exe, powershell.exe, or unknown binaries. | Process creation logs (Sysmon Event ID 1) | Execution | Low |
Control Gaps
- Lack of an official patch from Adobe leaves systems inherently vulnerable if malicious PDFs are opened in Adobe Reader.
Key Behavioral Indicators
- Outbound network connections from Adobe Reader to unknown IPs
- Use of 'Adobe Synchronizer' User-Agent communicating with non-standard domains
- Unexpected child processes originating from PDF reader applications
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Temporarily advise users to avoid using Adobe Reader to open PDFs until an official patch is available.
- Block the identified C2 domains and IP addresses at the perimeter firewall, DNS sinkhole, or web proxy.
Infrastructure Hardening
- Implement automatic scanning of PDF email attachments at the email gateway.
- Ensure endpoint protection platforms are updated with the latest threat intelligence and signatures.
User Protection
- Configure default PDF handlers to alternative, non-vulnerable applications if feasible for business operations.
Security Awareness
- Train users to be highly suspicious of unsolicited PDF attachments, particularly those related to the oil and gas sector or using Russian-language lures.
MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment
- T1204.002 - User Execution: Malicious File
- T1203 - Exploitation for Client Execution
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1071.001 - Application Layer Protocol: Web Protocols
Additional IOCs
- Ips:
169[.]40[.]2[.]68- C2 server (port 45191)188[.]214[.]34[.]20- C2 server (port 34123)
- Domains:
ado-read-parser[.]com- C2 server
- File Hashes:
1929da3ef904efb8c940679045452321(MD5) - Malicious PDF sample (yummy_adobe_exploit_uwu.pdf)7f3c6f97612dd0a018797f99fad4df754e5feb35(SHA1) - Malicious PDF sample (yummy_adobe_exploit_uwu.pdf)522cda0c18b410daa033dc66c48eb75a(MD5) - Malicious PDF lure (Invoice540.pdf)dafd571da1df72fb53bcd250e8b901103b51d6e4(SHA1) - Malicious PDF lure (Invoice540.pdf)
- Other:
Adobe Synchronizer- User-Agent string associated with Adobe Reader attack C2 communication