Malicious spam campaigns delivering malware in disk image file formats, .ISO being the most used in this case. Among the most popular threats delivered this way are remote access tools (NanoCore, Remcos) and LokiBot information stealer.
Choosing ISO to deliver malware makes sense since Windows operating system has the ability to mount this file type when double-clicked. This allows scammers to disguise the threat as an innocent file. In a recent campaign, threat actors created a fake FedEx shipment email message to trick recipients into downloading a malicious ISO that included an executable.