Overview
- EXPMON researcher Haifei Li confirmed an active Adobe Reader flaw that triggers on open and works on fully updated installs.
- Heavily obfuscated JavaScript in the PDFs abuses privileged Acrobat APIs to read local files and send the data to attacker servers.
- Analysts observed a recon stage that fingerprints systems to gate selective delivery of remote-control payloads.
- Samples uploaded to VirusTotal in November 2025 indicate the campaign ran for months before researchers spotted it.
- Adobe has not released a fix, so users should avoid untrusted PDFs and defenders can block traffic with the "Adobe Synchronizer" user-agent string.