Container files like ISO and IMG strip the Mark-of-the-Web from everything inside them when mounted as a drive. How BumbleBee and Emotet exploited this, what Microsoft changed, and how analysts triage containers today.
Sign in to mark this article as read and track your progress.
Windows uses a mechanism called the Mark-of-the-Web (MotW) to track whether a file originated from the internet. When a file is downloaded from a browser or received as an email attachment and saved to disk, Windows writes an Alternate Data Stream (ADS) named Zone.Identifier to the file. This ADS contains a ZoneId value: 3 for internet-sourced files.
Software that cares about trust — Office applications, Windows SmartScreen, the Protected View mechanism — reads this ADS. A ZoneId of 3 triggers warnings, macro blocking, and SmartScreen checks. The entire security model for blocking malicious Office macros relied on this tag being present.
ISO and IMG container files exposed a straightforward bypass: when Windows mounts a container file as a virtual drive, the files extracted from it do not inherit the Zone Identifier of the container. If you download an ISO from the internet, the ISO itself gets ZoneId=3. But when you mount it and access the files inside, those files have no Zone Identifier at all — they are treated as locally sourced.
Attackers adopted this immediately. An ISO containing a malicious LNK and a DLL would bypass macro blocking because LNK files were not blocked by macro policy, and neither the LNK nor the DLL would carry MotW because they came from a mounted container.
The typical ISO-based delivery chain in 2022-2023 campaigns followed a consistent layout inside the container:
malicious.iso
├── document.lnk (appears as PDF icon via custom icon)
├── actual_payload.dll (hidden attribute set)
├── legitimate_app.exe (hidden, used for DLL sideloading)
└── decoy.pdf (real PDF, opened to distract victim)
The victim mounts the ISO (Windows auto-mounts on double-click in Windows 10+), sees what looks like a PDF document, double-clicks it, and the LNK executes.
BumbleBee, first documented by Google Threat Intelligence in March 2022, was a loader designed specifically for the post-macro delivery environment. Its initial delivery mechanism was almost exclusively ISO-based:
rundll32.exe [DLL],[export] to load the BumbleBee DLLBumbleBee was notable for being purpose-built for the ISO delivery method rather than adapted from an older macro-based architecture.
Emotet, after its January 2021 takedown and November 2021 resurgence, progressively adopted ISO delivery as Microsoft rolled out macro blocking. By mid-2022, the dominant Emotet delivery chain involved a password-protected ZIP (to prevent gateway scanning) containing an ISO containing a LNK that launched a VBScript or directly executed the Emotet DLL via regsvr32.
Microsoft addressed the MotW propagation gap in November 2022 (CVE-2022-41091 and related fixes). From this patch onward, Windows propagates the Zone Identifier from a container file to the files extracted from it. An ISO with ZoneId=3 now causes its contents to also carry ZoneId=3 when accessed via Windows Explorer.
However, the patch requires a fully patched Windows 10/11 system. Unpatched systems remain vulnerable. Enterprise environments with patching delays remained valid targets through 2023 and into 2024.
Step 1: Identify the container. Use file (Linux) or Detect-It-Easy to confirm the container type. ISO 9660, UDF, and IMG (raw FAT/NTFS) are all common.
Step 2: Mount safely. Do not double-click to mount in an uncontrolled environment. In a sandboxed analysis VM:
# Linux
mkdir /mnt/iso_analysis
mount -o loop -t iso9660 suspicious.iso /mnt/iso_analysis
ls -la /mnt/iso_analysis
Step 3: List all files including hidden. The ls -la or dir /a output reveals hidden DLLs and executables that would not be visible to a user browsing the mounted drive normally.
Step 4: Examine the LNK. Extract and parse the LNK file to get the command-line arguments before executing anything.
Step 5: Check Zone Identifier on the ISO. On Windows:
Get-Item suspicious.iso -Stream Zone.Identifier | Get-Content
A ZoneId of 3 confirms internet origin. If absent on a file that arrived via email, either the MotW was stripped (possible with some email clients) or the system is not patched.
Step 6: Hash and look up all inner files. Hash every file inside the container and check against VirusTotal before examining further.
isoinfo or 7-Zip can extract contents for YARA scanning without mounting.