Attackers have been quietly taking advantage of a dangerous security flaw in Adobe Reader by using specially crafted PDF files, and this activity has been going on since at least December.
The issue was uncovered by security researcher Haifei Li, who founded the exploit detection platform EXPMON. He revealed that the attack relies on a highly advanced technique that can adapt to the victim’s system, making it harder to detect and more effective.
According to Li, the attackers have been actively targeting users for several months. Once a victim opens the malicious PDF file, the exploit begins working immediately without requiring any further interaction. This makes it especially risky because simply viewing the document is enough to trigger the attack. The exploit takes advantage of a previously unknown vulnerability in Adobe Reader that still has not been patched, even in the latest version of the software.
The attackers are not just stopping at gaining access. They are using built-in Adobe features to collect sensitive information from the compromised system. By abusing specific Acrobat APIs, they can read local files and extract data. In addition, the exploit can open the door for further attacks, potentially allowing hackers to run malicious code or break out of security protections, which could eventually give them full control over the affected device.
Another researcher, known as Gi7w0rm, also studied the attack and found that the malicious PDF files often contain Russian-language content. These documents appear to reference current events related to the oil and gas industry in Russia, suggesting that the campaign may be targeted rather than random.
Li has already informed Adobe about the issue, but until a security update is released, users remain at risk. He strongly advises people to avoid opening PDF files from unknown or untrusted sources. Even files received from familiar contacts should be treated with caution if they seem unexpected.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
For organizations and security teams, one way to reduce the risk is by monitoring network traffic for suspicious activity. In particular, they can look for connections that include the “Adobe Synchronizer” string in the User-Agent field and block such traffic if necessary.
