[All] [2026] Infection Just by Opening a PDF? The Full Story of Adobe Reader's Zero-Day Attack (CVE-2026-34621)

This article provides a thorough explanation of the mechanism, countermeasures, and IOCs (Indicators of Concern) of the Adobe Reader zero-day attack (CVE-2026-34621), which was discovered in April 2026. This extremely dangerous vulnerability allows attackers to steal PC information and even remotely control a computer simply by opening a PDF file.

 

What is a zero-day attack?

A zero-day attack is a cyberattack that exploits vulnerabilities that software manufacturers are not yet aware of or have not released patches to fix. The name "zero-day" comes from the fact that there are zero days between the discovery of the vulnerability and the time it takes for the manufacturer to address it. It originates from the meaning of "to be."

When a zero-day vulnerability is exploited, users cannot take the usual defensive measure of applying security patches, making it extremely difficult to defend against with general antivirus software alone. The Adobe Reader zero-day attack (CVE-2026-34621) discovered in April 2026 is a typical example of this. The attack is automatically executed simply by opening a PDF file. This case is attracting attention as an extremely dangerous one.

 

table of contents

1. Summary of the incident: A zero-day attack that lay dormant for over four months.
2. Attack Mechanism: A Cyberattack Chain Completed in 3 Stages
3. A second variant was also discovered: the attackers continued to upgrade their version.
4. Who are the targets? Russian language and the oil and gas industry are key keywords.
5. What is CVE-2026-34621? It is the official identification number of the vulnerability.
6. List of IOCs (Indicators of Infringement): Data usable for internal monitoring
7. Actions you can take right now: What to do until the patch is released
8. Online reactions: Voices of security researchers
9. Frequently Asked Questions (FAQ)
10. References and Sources

 

1. Summary of the incident: A zero-day attack that lay dormant for more than four months.

 

April 7, 2026, Sandbox-type exploit detection system "EXPMON" Founder of security researcher Haifei Li He disclosed an unpatched zero-day vulnerability (later registered as CVE-2026-34621) in the JavaScript engine of Adobe Reader.

The first traces of an attack exploiting this vulnerability were registered on VirusTotal in 2018. November 28, 025 And, until March 2026 when it was discovered, at least Approximately 4 months or more It has been discovered that this zero-day attack continued undetected around the world for a considerable period.

One notable point is the low initial detection rate on VirusTotal. 5/64 The detection rate was extremely low. Because it incorporated advanced obfuscation techniques and sandbox evasion capabilities, it was treated as virtually harmless by typical antivirus products.

 

 

2. Attack Mechanism: A Cyber ​​Attack Chain Completed in 3 Stages

 

The most distinctive feature of this zero-day attack is The attack automatically begins the moment the user opens the PDF. That's it. No additional actions are required, such as clicking links or granting permission to run macros.

The attack proceeds in the following three stages (phases):

 

Phase 1: Loader startup (automatic execution)

Hidden form fields in PDF ( btn1 ) embedded in, JSFuck This obfuscated JavaScript is automatically triggered the moment the PDF is opened. It decodes a large amount of base64-encoded code and then executes it after a 500-millisecond delay (to avoid sandboxing).

 

Phase 2: Fingerprinting (Target Investigation)

The attack code exploits the Adobe Reader API to collect the following information from the infected device: The exact version of the OS ( ntdll.dll (Obtained by binary analysis) Adobe Reader version Language settings and platform information Uninstall antivirus software Local path of PDF file All of this information is RSS.addFeed() It is sent via the API to a C2 server (Command & Control server) controlled by the attacker. The User-Agent at the time of transmission is "Mozilla/3.0 (compatible; Adobe Synchronizer 23.8.20533)" This process is disguised as a legitimate Adobe process and is designed to bypass normal network monitoring.

 

Phase 3: Subsequent attack (conditional)

The C2 server selects targets based on the collected information. Only devices that meet the attacker's criteria are targeted. AES-CTR encryption + zlib compression This delivers an additional JavaScript payload. This subsequent payload is: Remote Code Execution (RCE) This could potentially escalate to a sandbox escape (SBX) scenario. On the other hand, for sandbox environments, it simply returns // (an empty JS comment) to avoid parsing. In a verification experiment using Haifei Li's own server, the JavaScript returned from C2 was actually executed on Adobe Reader. system32 It has been confirmed that it can read PNG files in a directory and send them to an external server. Even without a subsequent RCE, The file theft is completed in phases 2 and 3 alone. This has been proven.

 

 

3. A second variant was also discovered: The attackers continued to upgrade their version.

April 8, 2026, Security Researcher Greg Lesnewich @greglesnewich has discovered a new variant.

researcher N3mes1s According to the detailed forensic report published by him on GitHub, a comparison of v1 (prototype) and v2 (production) revealed that the attackers had made the following continuous improvements:

• Further enhancement of code obfuscation
• Narrowing down the target OS (removing Windows 7 support)
• Regularly rotate the C2 server infrastructure.

Furthermore, the C2 server logs show a /s12 endpoint that appears to be for Adobe Reader v25.x, Development of v3 is underway. It has been suggested that this may be the case.

 

4. Who are the targets? Russian language and the oil and gas industry are key keywords.

researcher Gi7w0rm According to his analysis, the decoy PDF used in the attack was written in Russian, and its contents were Current events concerning Russia's oil and gas industry It has been revealed that he made a mention of it.

N3mes1s's forensic analysis identified two types of samples.

 

sample	Contents of the decoy document	putative target
Sample 1 (54077a5b)	Procedures for responding to gas supply disruptions, worker safety risks, cooperation with local authorities, and public notifications (in Russian)	Energy companies and critical infrastructure operators
Sample 2 (65dca34b)	Inter-organizational agreements and contracts with a Moscow address (in Russian)	Russian-speaking government agencies and private organizations

All PDF metadata /Lang (en-US) The settings are configured as follows, and the creation tool is the Python library PyMuPDF The title was intentionally anonymized as "Blank Page". N3mes1s said that this attack was... "Sophisticated espionage by state-sponsored or APT (Advanced Persistent Threats) groups." That's what they've said.

 

5. What is CVE-2026-34621? The official identification number of the vulnerability.

CVE-2026-34621 This is the official identification number assigned to the zero-day vulnerability in the JavaScript engine of Adobe Reader that was recently discovered. CVE (Common Vulnerabilities and Exposures) is an international standard framework for uniquely identifying and tracking vulnerabilities.

This vulnerability All versions of Adobe Reader, including the latest version. This has been confirmed to be effective against the issue, and Adobe has been notified. As of the time of writing (April 2026), an official fix had not been released, but Adobe has since released an emergency fix. Users who have not yet applied the patch should update to the latest version as soon as possible.

 

 

6. List of IOCs (Indicators of Infringement): Data usable for internal monitoring

By registering the following IOCs in your firewall, EDR, and SIEM, you can detect and block this zero-day attack.

 

type	value	remarks
C2 IP address	169.40.2.68:45191	v1 sample (Latvia, VEESP)
C2 IP address	188.214.34.20:34123	v2 sample (Cyprus, EDIS GmbH)
domain	ado-read-parser.com / zx.ado-read-parser.com	Registered on February 6, 2025, VT detection 0/94
User-Agent	Mozilla/3.0 (compatible; Adobe Synchronizer 23.8.20533)	Disguised as an Adobe process
SHA-256 (v1)	54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f	Invoice540.pdf (VT 6/77)
SHA-256 (v2)	65dca34b04416f9a113f09718cbe51e11fd58e7287b7863e37f393ed4d25dde7	Detected by EXPMON (VT 5/64)
Registry Key	HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Synchronizer	Persistence mechanism
Campaign ID	422974 (v1) / 319988 (v2)	C2 URL parameter &od= contains

 

7. Actions you can take right now: What to do until the patch is released

Network Monitoring

Acrobat.exe and AcroRd32.exe The most effective setting is to detect and block HTTP requests containing "Adobe Synchronizer" in the User-Agent from external communications, treating them as being sent to servers other than Adobe's official servers. &od=422974 or &od=319988 Please also set up alerts for requests that include [this].

Endpoint protection

From the Adobe process ntdll.dll or Bootsvc.dll Please add a rule to detect unusual file access to [location]. Also, AdobeCollabSync.exe We recommend setting up an alert for when the system attempts to connect to an external network.

User training and operational support

• Do not open PDFs from unknown senders or those you do not recognize (be especially careful if the file name is disguised as an invoice or contract).
• Disable JavaScript execution in Adobe Reader on work terminals (environment-dependent)
• Block the IP address and domain of the above IOC using a firewall or proxy.
• We continuously monitor Adobe's official security advisories and apply patches immediately after they are released.

8. Online reactions: Voices of security researchers

Following the discovery of this zero-day attack, various opinions have been expressed within the security community.

 

The entire security community "It wasn't detected for over four months." Many people expressed surprise at this point, and there is a shared sense of crisis that "standard EDRs alone are insufficient." Furthermore, there is ongoing active discussion regarding evidence suggesting the involvement of APT groups (Russian-language decoy documents, topics related to state secrets).

 

9. Frequently Asked Questions (FAQ)

Q. Can this Adobe Reader zero-day vulnerability infect an application simply by opening a file?

A. Yes. This exploit is designed to execute automatically the moment the PDF is opened, requiring no additional action from the user, such as clicking a link or allowing macro execution. Therefore, it is extremely dangerous.

 

Q. Can this be prevented with typical antivirus software?

A. At present, it is extremely difficult to prevent. The initial detection rate on VirusTotal is extremely low at 5/64, and because it incorporates advanced obfuscation such as JSFuck and sandbox evasion features, it is highly likely that standard antivirus products will treat it as a harmless file.

 

Q. Has a patch for CVE-2026-34621 been released?

A. Following the discovery of the vulnerability, Adobe has released an emergency fix for the zero-day vulnerability (CVE-2026-34621). Users of Adobe Reader should update to the latest version immediately. As a temporary measure before applying the patch, we recommend registering the IOCs in this article with your firewall or EDR and conducting user education on how to handle suspicious PDFs.

 

Q. How can I check if I have been a victim of a zero-day attack?

A. Check the internal network logs, Acrobat.exe or AcroRd32.exe From the above IOC's IP addresses (169.40.2.68, 188.214.34.20) and domains ( ado-read-parser.com Please investigate whether there are any records of communication to ). Also, the registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Synchronize The presence of 'r' is also a point to confirm.

 

Q. Is the term "zero-day attack" related to the Netflix drama "Zero Day"?

A. Although the name is the same, "zero day," there is no connection. The Netflix drama "Zero Day" is a political thriller about cyberattacks. On the other hand, the "zero day attack" explained in this article is an actual cybersecurity term, and Adobe Reader CVE-2026-34621 is a real-world attack case.

 

10. References and Sources

 

• Haifei Li (EXPMON): EXPMON detected sophisticated zero-day fingerprinting attack targeting Adobe Reader users (April 7, 2026)
• Greg Lesnewich: Adobe Exploit PDF Traffic (GitHub Gist) (April 8, 2026)
• N3mes1s: Adobe Reader Zero-Day PDF Exploit – Full Forensic Analysis (GitHub Gist) (April 8, 2026)
• SecurityWeek: Adobe Reader Zero-Day Exploited for Months: Researcher
• The Register: Old Adobe Reader zero-day uses PDFs to size up targets
• Security Affairs: Malicious PDF reveals active Adobe Reader zero-day in the wild
• The Hacker News: Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025

 

 

 

🔥Other interesting articles we recommend for you

 

[2026] Is Zepa's sudden death a fact? A summary of the announcement, the undisclosed cause of death, and the tributes on social media.

 

[2026] Congratulations, Fiancé! Is it a rip-off? A look at similar issues and the series' conclusion.

    

[2026] What is Onicha? When will Hikakin's barley tea "ONICHA" be released and how much will it cost?

 

[2026] What is Takashi Kashiwabara doing now in 2026? A summary of his remarriage to Yuki Uchida, his past, and representative works.

 

[2026] Who is Nobuko Nakano? A thorough explanation of her age, husband, family, plastic surgery rumors, and younger days!

 

[2026] Ichikawa Danjuro completely shuts out 24 comedians—What is the true power of a Kabuki actor as shown in "Make them laugh and win 10 million yen"?