http://death.sk/tags/windows/Recent content in Windows on DEATH.skHugoen-usSun, 12 Apr 2026 15:00:48 +0200http://death.sk/posts/iso_mount/Sun, 12 Apr 2026 15:00:48 +0200http://death.sk/posts/iso_mount/<p>In 2022 Microsoft <a href="https://learn.microsoft.com/en-gb/microsoft-365-apps/security/internet-macros-blocked">announced</a> auto-blocking of macros in Office documents downloaded from the Internet, a popular initial access method for threat actors. This forced threat actors to turn to other less common methods of malware delivery. One of the methods that <a href="https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/">quickly</a> <a href="https://thedfirreport.com/2022/04/25/quantum-ransomware/">gained</a> <a href="https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/">traction</a> was distribution through ISO-mounted files.</p> <p>User double-clicks the ISO file, mounting it as a CD-ROM drive. The mounted drive contains a lure commonly in form of a LNK file masquerading as a document. When the victim executes the LNK lure it executes (often while utilizing additional tricks such as DLL-sideloading) a payload that is also placed on the mounted ISO drive. The payload and any other files except the lure file have hidden attribute set to avoid raising suspicion.</p>