On April 7 2026, a security researcher disclosed a critical zero‑day vulnerability in Adobe Reader that has been actively exploited in the wild since at least December 2025. The flaw allows threat actors to execute privileged Acrobat APIs via specially crafted PDF files that trigger obfuscated JavaScript when opened. Once executed, the code can steal sensitive user and system data, launch additional attacks, and remotely execute arbitrary code on the victim machine.
Investigations revealed that the attackers are targeting the Russian oil and gas sector with Russian‑language lures, indicating a focused campaign rather than opportunistic phishing. The malicious PDFs are typically delivered through email attachments and social engineering, exploiting the common habit of users opening PDF files with Adobe Reader.
Key indicators of compromise include the following hash values for malicious samples and a set of command‑and‑control (C2) domains and IP addresses that have been observed communicating with infected machines:
- MD5 1929da3ef904efb8c940679045452321 – sample yummy_adobe_exploit_uwu.pdf
- SHA1 7f3c6f97612dd0a018797f99fad4df754e5feb35 – same sample
- SHA256 65dca34b04416f9a113f09718cbe51e11fd58e7287b7863e37f393ed4d25dde7 – same sample
- MD5 522cda0c18b410daa033dc66c48eb75a – lure Invoice540.pdf
- SHA1 dafd571da1df72fb53bcd250e8b901103b51d6e4 – lure
- SHA256 54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f – lure
- C2 domain ado-read-parser[.]com – used for command and control
- C2 IPs: 169[.]40[.]2[.]68:45191 and 188[.]214[.]34[.]20:34123
- User‑Agent Adobe Synchronizer – frequently seen in traffic from infected clients
Security teams should keep an eye on these indicators and compare them against their own intrusion detection systems. The following Sophos protections are relevant for mitigating this threat: Troj/PDF‑BG and Malware/Callhome. Enabling these signatures in endpoint protection solutions will help detect and block malicious PDFs before they reach the user.
Recommended mitigation steps for organizations:
- Patch Management: Monitor the Adobe security advisory channel for the official patch and apply it as soon as it becomes available. The vulnerability is listed as critical on the Adobe security bulletin.
- Attachment Scanning: Configure email gateways and endpoint protection to automatically scan PDF attachments using a sandbox or static analysis engine. Block any file that matches the known hash indicators.
- File Type Restrictions: Where possible, disable the ability to open PDF files directly from email clients. Encourage the use of preview services that do not rely on Adobe Reader.
- User Awareness: Conduct targeted phishing awareness training that highlights the risks of opening unsolicited PDF attachments, especially those that claim to be invoices or official documents.
- Temporary Workarounds: Advise users to avoid using Adobe Reader to open PDFs until the patch is applied. Alternative viewers such as Foxit Reader or the built‑in browser viewer can be used as a stopgap.
For deeper technical guidance, refer to the following sanitized resources:
- Sophos Blog – Adobe Reader Zero‑Day Vulnerability
- Security Researcher Blog Post – Sophisticated Zero‑Day Exploit
- Twitter – Russian‑Language Lures Target Oil and Gas
By combining timely patching, aggressive attachment filtering, user education, and vigilant monitoring of the provided indicators, security analysts can reduce the risk posed by this Adobe Reader zero‑day and protect enterprise assets from exploitation.

