Emerging ThreatsMalware & Ransomware

Adobe Reader Zero-Day Exploited in Targeted Attacks Since December

Analyst 207||Source: TheHackerNews
Person in hoodie sits before laptop with cracked PDF on screen, surrounded by eerie shadows and cityscape.

What happens when a document you trust quietly becomes a weapon? Security researchers have found that a previously unknown zero‑day in Adobe Reader has been used in targeted attacks for months, raising questions about detection, disclosure and the quiet erosion of trust in everyday file formats.

What researchers found

Threat actors have been exploiting a previously unknown zero‑day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025, according to reporting on the discovery. The finding was detailed by EXPMON's Haifei Li, who described the intrusion technique as "a highly‑sophisticated PDF exploit."

Timeline and artifact evidence

The earliest observable artifact tied to this campaign appeared on a public malware‑analysis platform: a file named "Invoice540.pdf" was first uploaded to VirusTotal on November 28, 2025. That timestamp, coupled with subsequent analysis, supports the assessment that exploitation began no later than December 2025.

Why this matters

  • Zero‑day exploitation in a common document reader removes the safety net that users normally expect when opening familiar file formats.
  • The characterization by a named researcher at EXPMON — Haifei Li — as "a highly‑sophisticated PDF exploit" implies technical complexity that can evade routine detection and complicate forensic analysis.
  • Timestamps and public artifact uploads, such as the VirusTotal appearance of Invoice540.pdf, provide investigators and defenders concrete leads but also show how quickly malicious samples can be circulated and archived in the wild.

Considerations for stakeholders

Technologists will focus on dissecting the exploit chain and producing detection signatures and mitigations. Policymakers and incident responders must weigh disclosure timelines and coordination between vendors, researchers, and affected organizations. Everyday users, meanwhile, face the blunt reality that familiar file types can be weaponized; the best immediate precaution is caution with unexpected attachments and downloads.

The discovery underscores a simple, uncomfortable truth: attackers continue to invest in tools that prey on trust. How quickly vendors, defenders and users respond will determine whether this remains a contained curiosity or becomes a wider security crisis.

https://thehackernews.com/2026/04/adobe-reader-zero-day-exploited-via.html

Emerging ThreatsExploitNation-StateVulnerabilityZero-DayAdobe ReaderTargeted AttacksAPTPDF Exploit
Related Intelligence

Continue Reading

Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
Financial sector setting with technology integration and cityscape in background.

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Microsoft warns that a recent supply chain attack on the Mastra AI npm environment was carried out by Sapphire Sleet, a notorious North Korean hacking group known for targeting the financial sector. This latest incident is part of a larger pattern of attacks that exploit open-source distribution channels.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207
Rows of network equipment and devices on racks in a dimly lit, empty server room.

Credential Attacks Target Fortinet, Sophos, MSSQL Devices in Large-Scale Campaign

A large-scale password spraying and credential theft campaign, dubbed "FortiBleed," is targeting Fortinet devices, with attempts also seen against MSSQL services and Sophos devices, warns Unit 42. This coordinated attack has sparked concerns over widespread credential attacks.

Analyst 207