High

It is capable of stealing sensitive local data and performing advanced system fingerprinting, exploiting an unpatched vulnerability in the latest Adobe Reader version. Traditional antivirus tools failed to detect the malware, but the researcher's behavioral analytics flagged highly suspicious activities within the Acrobat JavaScript engine. The threat actors embedded the malicious code using Base64 encoding in hidden PDF objects to mask its intent.

According to the Researcher, the exploit leverages internal Adobe APIs to bypass security controls. First, it uses util.readFileIntoStream() to read arbitrary files from the victim’s local system, circumventing standard sandbox protections. It then employs RSS-addFeed() to silently exfiltrate the stolen data to a remote server under attacker control. The exfiltrated information includes operating system details, language settings, Adobe Reader version, and the local PDF file path. This initial data theft serves as a reconnaissance step, allowing the attackers to evaluate whether the compromised system meets their target criteria before deploying additional payloads.

If the target is deemed valuable, the attacker’s server sends encrypted JavaScript payloads that are decrypted on the victim’s machine, evading network detection systems. Testing confirmed that the exploit can exfiltrate sensitive files, including a local System32 .png file, and that the secondary payload mechanism is fully functional. These additional payloads are capable of Remote Code Execution (RCE) and Sandbox Escape (SBX), potentially allowing attackers to bypass all remaining security boundaries and gain full control over the compromised system. This makes the threat exceptionally dangerous for both individual users and organizations.

Currently, this remains a zero-day threat with no official patch available from Adobe. Researchers recommend immediate precautions: users should avoid opening PDFs from untrusted sources, while network administrators should monitor and block traffic to the IP address 169.40.2.68 on port 45191. Additionally, defenders should inspect HTTP and HTTPS traffic for suspicious activity, particularly User-Agent strings containing “Adobe Synchronizer.” The exploit has been responsibly disclosed to Adobe Security, but vigilance and proactive network defense remain critical to prevent compromise.

Impact

• Sensitive Data Theft
• Code Execution
• Security Bypass
• Gain Access

Indicators of Compromise

IP

• 188.214.34.20

• 169.40.2.68

Remediation

• Lock all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Avoid opening PDF files from unknown, unverified, or suspicious sources.
• Apply the latest Adobe Reader updates immediately once the official patch is released.
• Block outgoing traffic to 169.40.2.68 on port 45191.
• Inspect HTTP and HTTPS traffic for suspicious activity, especially User-Agent strings containing “Adobe Synchronizer.”
• Deploy advanced antivirus/endpoint detection tools capable of behavioral monitoring.
• Restrict access to sensitive directories (e.g., System32) to reduce the impact of file exfiltration.
• Ensure PDFs are opened in isolated sandbox environments when possible.
• Train employees on recognizing phishing attempts and malicious attachments.
• Prepare logs, alerts, and response procedures in case of exploitation attempts.