Researcher Haifei Li, founder of the exploit detection platform EXPMON, discovered a sophisticated attack that uses PDF files to spy on and potentially compromise Adobe Reader users.
The attack exploits a previously unknown vulnerability, meaning that simply opening a seemingly innocent document can be enough to collect sensitive information and send it to an external server. According to Neowin, the attack is part of a broader campaign that has been active since December. Attackers are exploiting specially crafted PDF files.
EXPMON detected suspicious activity in a PDF file that was initially flagged only as potentially risky. Further analysis revealed that the document uses obfuscated JavaScript code to call internal functions of Adobe Reader. This allows it to read local files and collect system information, such as software version, language settings, and operating system details.
The vulnerability involves a so-called prototype pollution issue within the PDF reader’s JavaScript implementation. By exploiting this, attackers can manipulate object properties and thereby gain access to functionality that is normally out of reach. In this case, this enables the attacker to collect data. The attacker can then send that data to an external server via network traffic.
Notably, the attack does not immediately proceed to full compromise. Instead, a profile of the victim is first built up. Based on this, the attacker can determine whether the system is interesting enough for a follow-up step, in which additional code can be delivered that leads to the execution of arbitrary code or the bypassing of sandbox restrictions.
Targeted attack based on system profile
Researchers confirmed that this method allows not only for information gathering but also for the execution of external code within Adobe Reader. This creates a potential path to full system takeover, although the attack appeared to be selective because additional payloads were not always delivered.
Adobe has since confirmed the vulnerability and resolved it via a security update. The flaw is tracked as CVE-2026-34621 and was initially assigned a high severity score, which was later slightly adjusted. Multiple versions of Acrobat and Reader on Windows and macOS were affected and have since been patched.
In addition to the technical details, there are indications that the attack may be targeted. Analysis of the PDF files used points to references to the Russian oil and gas sector, which may indicate a specific target group, although this has not been definitively confirmed.