Beware: New wave of malware spreads via ISO file email attachments

  • November 17, 2018
  • 3 min read
Beware: New wave of malware spreads via ISO file email attachments

Email remains one of the most common methods of malware delivery. In 2016, about 66 percent of malware was installed via malicious email attachments, according to a Verizon report.

Most malicious email attachments come in the form of widely recognized files such as .EXE, .DOC, .PDF, .ZIP and so on, but recently we’ve seen a spike in malware concealed in ISO files.

Read on to learn more about what ISO files are, how to spot a dodgy ISO email attachment and what you need to do to keep yourself safe from this type of attack.

Example of an email with a malicious ISO attachment

As with many other phishing attacks, the new breed of ISO malware is distributed as an email attachment. The contents of the email message can vary but tend to feature language that creates a sense of urgency and encourages you to open the attached ISO file.

Here’s an example of an email we’ve seen in the wild:

ISO malware attachment

In the event that you do open the file, you’ll be pleased to know that Emsisoft Anti-Malware will step in to prevent the malware from making any changes to your system. You can see Emsisoft Anti-Malware in action in the screenshot below:

iso malware alert emsisoft

What is an ISO file?

An ISO file (sometimes referred to as an ISO image) is an archive file that contains all the information that would be written to an optical disc. In other words, it is a complete 1:1 copy of everything stored on a physical disc such as a CD, DVD or Blu-ray. The name ISO comes from the name of the file system typically used by optical media, ISO 0660.

ISO files are commonly used to create a backup of a CD or DVD. They’re also very useful for distributing large programs over the internet as an ISO image can handily contain all of a program’s files in a single file.

Why are ISO files being used?

There are a couple of reasons why ISO files are being used in this attack.

Firstly, the malware authors are probably aware that many email gateway scanners don’t scan ISO file attachments properly. This is probably due to the fact that ISOs tend to be hundreds of megabytes in size, making them prohibitively large for efficient and effective scanning. However, ISOs can also be very small and may contain nothing more than a half megabyte malware binary.

Secondly, ISO files are incredibly easy to open these days. In years gone by, you needed third-party software to open an ISO file, but modern versions of Windows (Windows 8 and Windows 10) feature a native ISO mounting tool. Opening an ISO file is now as simple as double-clicking the file. This increases the chances of the target opening the file and infecting their system.

How to protect yourself from ISO malware

The usual rules when it comes to protecting yourself from ISO malware. Be wary of unsolicited emails, avoid clicking links and opening attachments unless you’re 100 percent confident that they’re safe and always protect yourself with reliable antivirus software.

For more information, please see our guide on identifying and preventing phishing scams.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Have a good (malware-free) day!



Emsisoft founder and managing director. In 1998 when I was 16, a so called 'friend' sent me a file via ICQ that unexpectedly opened my CD-ROM drive, which gave me a big scare. It marked the start of my journey to fight trojans and other malware. My story

What to read next