Welcome to DU!
The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
Join the community:
Create a free account
Support DU (and get rid of ads!):
Become a Star Member
Latest Breaking News
Editorials & Other Articles
General Discussion
The DU Lounge
All Forums
Issue Forums
Culture Forums
Alliance Forums
Region Forums
Support Forums
Help & Search
Months-old Adobe Reader zero-day uses PDFs to size up targets - The Register
Hackers have been quietly exploiting what appears to be a zero-day in Adobe Acrobat Reader for months, using booby-trapped PDFs to profile targets and decide who's worth fully compromising.
Security researcher Haifei Li, founder of the sandbox-based exploit detection system EXPMON, said the campaign uses a malicious PDF that runs as soon as it's opened, working against even up-to-date Reader installations with no clicks required beyond viewing the file.
The exploit leans on heavily obfuscated JavaScript that runs as soon as it's opened. Instead of blowing up straight away, it starts pulling information from the machine using built-in Acrobat APIs, including local files and system details, and sends it back to servers under the attacker's control.
The first pass is basically recon. It grabs OS info, language settings, and file paths to figure out what it's landed on. If the box looks useful, it pulls a second-stage payload and runs it inside Reader. Researchers say that stage could escalate things further, up to remote code execution or even a sandbox escape.
"Such a mechanism allows the threat actor to collect user information, steal local data, perform advanced 'fingerprinting', and launch future attacks," Li said. "If the target meets the attacker's conditions, the attacker may deliver additional exploit to achieve RCE or SBX."
Security researcher Haifei Li, founder of the sandbox-based exploit detection system EXPMON, said the campaign uses a malicious PDF that runs as soon as it's opened, working against even up-to-date Reader installations with no clicks required beyond viewing the file.
The exploit leans on heavily obfuscated JavaScript that runs as soon as it's opened. Instead of blowing up straight away, it starts pulling information from the machine using built-in Acrobat APIs, including local files and system details, and sends it back to servers under the attacker's control.
The first pass is basically recon. It grabs OS info, language settings, and file paths to figure out what it's landed on. If the box looks useful, it pulls a second-stage payload and runs it inside Reader. Researchers say that stage could escalate things further, up to remote code execution or even a sandbox escape.
"Such a mechanism allows the threat actor to collect user information, steal local data, perform advanced 'fingerprinting', and launch future attacks," Li said. "If the target meets the attacker's conditions, the attacker may deliver additional exploit to achieve RCE or SBX."
https://www.theregister.com/2026/04/09/monthsold_adobe_reader_zeroday_uses/
1 replies
= new reply since forum marked as read
= new reply since forum marked as read
