EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Malware Delivery

ISO and IMG Container Abuse

Container files like ISO and IMG strip the Mark-of-the-Web from everything inside them when mounted as a drive. How BumbleBee and Emotet exploited this, what Microsoft changed, and how analysts triage containers today.

Ashish Revar13 May 20269 min read4 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

Google TAG: BumbleBee Loader Analysis

Google Threat Analysis Group's initial documentation of BumbleBee and its ISO-based delivery.

reference
CVE-2022-41091 — MotW Bypass via ISO

Microsoft's security advisory for the Mark-of-the-Web propagation bypass patched in November 2022.

reference
7-Zip

Extract ISO/IMG contents without mounting. Safer initial extraction in an analysis environment.

tool
More articlesTest your knowledge

The Mark-of-the-Web Problem

Windows uses a mechanism called the Mark-of-the-Web (MotW) to track whether a file originated from the internet. When a file is downloaded from a browser or received as an email attachment and saved to disk, Windows writes an Alternate Data Stream (ADS) named Zone.Identifier to the file. This ADS contains a ZoneId value: 3 for internet-sourced files.

Software that cares about trust — Office applications, Windows SmartScreen, the Protected View mechanism — reads this ADS. A ZoneId of 3 triggers warnings, macro blocking, and SmartScreen checks. The entire security model for blocking malicious Office macros relied on this tag being present.

ISO and IMG container files exposed a straightforward bypass: when Windows mounts a container file as a virtual drive, the files extracted from it do not inherit the Zone Identifier of the container. If you download an ISO from the internet, the ISO itself gets ZoneId=3. But when you mount it and access the files inside, those files have no Zone Identifier at all — they are treated as locally sourced.

Attackers adopted this immediately. An ISO containing a malicious LNK and a DLL would bypass macro blocking because LNK files were not blocked by macro policy, and neither the LNK nor the DLL would carry MotW because they came from a mounted container.

Attack Chain Structure

The typical ISO-based delivery chain in 2022-2023 campaigns followed a consistent layout inside the container:

malicious.iso
├── document.lnk          (appears as PDF icon via custom icon)
├── actual_payload.dll    (hidden attribute set)
├── legitimate_app.exe    (hidden, used for DLL sideloading)
└── decoy.pdf             (real PDF, opened to distract victim)

The victim mounts the ISO (Windows auto-mounts on double-click in Windows 10+), sees what looks like a PDF document, double-clicks it, and the LNK executes.

BumbleBee

BumbleBee, first documented by Google Threat Intelligence in March 2022, was a loader designed specifically for the post-macro delivery environment. Its initial delivery mechanism was almost exclusively ISO-based:

  • Phishing email with an ISO attachment or a link to an ISO download
  • ISO contained a LNK, a DLL (BumbleBee loader), and sometimes a legitimate decoy document
  • LNK executed rundll32.exe [DLL],[export] to load the BumbleBee DLL
  • BumbleBee loaded Cobalt Strike, Meterpreter, or other post-exploitation tooling

BumbleBee was notable for being purpose-built for the ISO delivery method rather than adapted from an older macro-based architecture.

Emotet Post-Resurgence

Emotet, after its January 2021 takedown and November 2021 resurgence, progressively adopted ISO delivery as Microsoft rolled out macro blocking. By mid-2022, the dominant Emotet delivery chain involved a password-protected ZIP (to prevent gateway scanning) containing an ISO containing a LNK that launched a VBScript or directly executed the Emotet DLL via regsvr32.

The Microsoft November 2022 Patch

Microsoft addressed the MotW propagation gap in November 2022 (CVE-2022-41091 and related fixes). From this patch onward, Windows propagates the Zone Identifier from a container file to the files extracted from it. An ISO with ZoneId=3 now causes its contents to also carry ZoneId=3 when accessed via Windows Explorer.

However, the patch requires a fully patched Windows 10/11 system. Unpatched systems remain vulnerable. Enterprise environments with patching delays remained valid targets through 2023 and into 2024.

Analyst Triage Workflow

Step 1: Identify the container. Use file (Linux) or Detect-It-Easy to confirm the container type. ISO 9660, UDF, and IMG (raw FAT/NTFS) are all common.

Step 2: Mount safely. Do not double-click to mount in an uncontrolled environment. In a sandboxed analysis VM:

# Linux
mkdir /mnt/iso_analysis
mount -o loop -t iso9660 suspicious.iso /mnt/iso_analysis
ls -la /mnt/iso_analysis

Step 3: List all files including hidden. The ls -la or dir /a output reveals hidden DLLs and executables that would not be visible to a user browsing the mounted drive normally.

Step 4: Examine the LNK. Extract and parse the LNK file to get the command-line arguments before executing anything.

Step 5: Check Zone Identifier on the ISO. On Windows:

Get-Item suspicious.iso -Stream Zone.Identifier | Get-Content

A ZoneId of 3 confirms internet origin. If absent on a file that arrived via email, either the MotW was stripped (possible with some email clients) or the system is not patched.

Step 6: Hash and look up all inner files. Hash every file inside the container and check against VirusTotal before examining further.

Detection

  • Mounting telemetry. EDR products monitoring the Windows virtual drive mounting process flag ISO files with ZoneId=3 being mounted.
  • Process creation from mounted drive letters. Any process spawned from a drive letter that corresponds to a recently mounted virtual drive should be flagged.
  • YARA on ISO contents. Tools like isoinfo or 7-Zip can extract contents for YARA scanning without mounting.