What starting position does this attack require?

The first step is Cobalt-class beacon establishes C2 (T1071) — a command and control primitive. Assumed environment: target endpoints allow ISO mounting via Explorer (default on Windows 10/11).

What is the final impact of this kill-chain?

The final step lands on LNK fires hidden cmd.exe / mshta (PAY-HTA-VBS), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

ISO container → LNK → stage from CDN → C2

Email attaches an ISO. Windows mounts it as a drive, bypassing Mark-of-the-Web. LNK inside runs a hidden binary that pulls the real stager from a CDN — Defender often misses the chain.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Command and Control

Cobalt-class beacon establishes C2

T1071 · Application Layer Protocol

Command and Control

Stager pulls payload from CDN

T1071 · Application Layer Protocol

Initial Access

Email with ISO attachment

T1566 · Phishing

Persistence

Local persistence

W-SCHEDTASK-HIJACK · Scheduled Task Hijack

Execution

Victim double-clicks → ISO mounts (no MOTW)

PAY-ISO-LNK · ISO / IMG Mounting → LNK Execution

Execution

LNK fires hidden cmd.exe / mshta

PAY-HTA-VBS · HTA / VBS / WSF Execution

§ Context

Assumed environment: target endpoints allow ISO mounting via Explorer (default on Windows 10/11). Macros may be blocked by GPO; attacker uses ISO as the modern alternative.

§ Steps

01
Cobalt-class beacon establishes C2Command and Control
T1071— Application Layer Protocol
02
Stager pulls payload from CDNCommand and Control
T1071— Application Layer Protocol
03
Email with ISO attachmentInitial Access
T1566— Phishing
04
Local persistencePersistence
W-SCHEDTASK-HIJACK— Scheduled Task Hijack
05
Victim double-clicks → ISO mounts (no MOTW)Execution
PAY-ISO-LNK— ISO / IMG Mounting → LNK Execution
06
LNK fires hidden cmd.exe / mshtaExecution
PAY-HTA-VBS— HTA / VBS / WSF Execution

§ References

T1071Application Layer Protocol
T1566Phishing

§ Frequently asked

What is the "ISO container → LNK → stage from CDN → C2" attack path?: Email attaches an ISO. Windows mounts it as a drive, bypassing Mark-of-the-Web. LNK inside runs a hidden binary that pulls the real stager from a CDN — Defender often misses the chain. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Cobalt-class beacon establishes C2 (T1071) — a command and control primitive. Assumed environment: target endpoints allow ISO mounting via Explorer (default on Windows 10/11).
What is the final impact of this kill-chain?: The final step lands on LNK fires hidden cmd.exe / mshta (PAY-HTA-VBS), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

ISO container → LNK → stage from CDN → C2

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

OneNote .one attachment → embedded payload → C2

certutil + bitsadmin → AV-friendly stager chain

USB drop in parking lot → HID payload → C2