What IT Do. How IT Do IT.

, , , ,

Malicious PDF reveals active Adobe Reader zero-day in the wild

On April 8, 2025, researcher @greglesnewich found a new variant that connects to the IP address 188.214.34.20:34123. This sample appeared was uploaded on VirusTotal on November 28, 2025, a circumstance that suggests the hacking campaign has been ongoing for at least four months. Cybersecurity researcher Haifei Li, founder of Expmon, discovered the malicious pdf file and warned…

Star Tech
3–4 minutes

On April 8, 2025, researcher @greglesnewich found a new variant that connects to the IP address 188.214.34.20:34123. This sample appeared was uploaded on VirusTotal on November 28, 2025, a circumstance that suggests the hacking campaign has been ongoing for at least four months. Cybersecurity researcher Haifei Li, founder of Expmon, discovered the malicious pdf file and warned the community.

This virus first was detected on March 26, a suspicious PDF was submitted to EXPMON and flagged by its advanced “detection in depth” feature, despite low antivirus detection (13/64 on VirusTotal).

The sample analyzed by the Li works as an initial exploit that abuses an unpatched Adobe Reader flaw to run privileged APIs on fully updated systems.It uses “util.readFileIntoStream()” to read local files and collect sensitive data. Then it calls “RSS.addFeed()” to send stolen data to a remote server and receive more malicious JavaScript.

“Based on our analysis, the sample acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits.

What IT Do

A zero-day (0-day) is a software vulnerability or security flaw discovered by attackers before the vendor or developer becomes aware of it, meaning there are “zero days” to fix it. Because no patch exists, attackers exploit this gap to steal data, cause disruption, or gain unauthorized access.

While sometimes used in targeted attacks against organizations or governments, they can also be used in widespread attacks on popular software (browsers, OS, etc.).

Common Targets and Consequences:

  • Operating systems, web browsers, and hardware.
  • Data breaches and financial loss.
  • Long-term unauthorized access (persistence).

How IT Do IT

How a Zero-Day Attack Works

  1. Discovery: Hackers or researchers find a security flaw in software/hardware before the vendor knows about it.
  2. Weaponization & Exploitation: The attacker develops code (exploit) to utilize this flaw and targets victims before a patch can be developed.
  3. The Attack: The malicious code is deployed, often bypassing traditional defenses like firewalls or antivirus, because no signature exists for the threat.
  4. Remediation: Once discovered by the vendor, they rush to create a patch.

Key Terminology

  • Zero-day Vulnerability: The unknown, unpatched flaw.
  • Zero-day Exploit: The technique used to attack the vulnerability.
  • Zero-day Attack: The act of using the exploit. 

Why They Are So Dangerous

  • No Defense: No security patches or antivirus signatures exist when the attack first occurs.
  • Long-lasting: If undetected, these flaws can be used for months or years.
  • High-Value Targets: Frequently used by advanced attackers against governments or large enterprises.

Defensive Measures

  • Intrusion Detection Systems (IDS): Monitoring for suspicious network behavior.
  • Web Application Firewalls (WAF): Filtering malicious traffic.
  • Prompt Patch Management: Applying patches immediately upon release to close the “post-discovery” window.

It abuses zero-day/unpatched vulnerability in Adobe Reader that allows it to execute privileged Acrobat APIs, and it is confirmed to work on the latest version of Adobe Reader.” reads the report published by Haifei Li.

“Specifically, it calls the “util.readFileIntoStream()” API, allowing it to read arbitrary files (accessible by the sandboxed Reader process) on the local system. In this way, it can collect a wide range of information from the local system and steal local file data.”

This lets attackers profile victims, steal information, and decide whether to launch further attacks, including remote code execution or sandbox escape if the target meets specific conditions.

During the tests, researchers connected to the server but received no response or additional exploit. The attacker likely requires specific target conditions that the test setup did not meet.

“However, during our tests, we were unable to obtain the said additional exploit – the server was connected but no response.” continues the report. “This could be due to various reasons – for example, our local testing environments may not have met the attacker’s specific criteria.”

Leave a comment

Trending