Bagle, also known as Beagle, is a large family of mass-mailing Windows worms that emerged in 2004 and later became associated with a substantial spam-sending botnet. Early variants spread primarily through executable email attachments, using social engineering themes and benign-looking icons to induce execution. Once launched, the malware copied itself into the Windows system area, established persistence through user-run registry entries, harvested email addresses from local files and address books, and used its own SMTP engine with direct MX lookups to propagate further. Bagle commonly spoofed sender information and included programmed stop-spreading dates in many variants.
A defining feature of Bagle was the installation of a backdoor on infected systems. Early variants listened on hard-coded TCP ports and enabled remote access, including the ability to download and execute additional programs. Some variants also contacted predefined web servers to report infections or retrieve follow-on payloads. Bagle infections were at times associated with secondary malware delivery, including proxy-oriented components, and older infections could be updated by newer releases.
Bagle affected Microsoft Windows systems and was observed across multiple legacy and contemporary Windows versions of its era. The family evolved rapidly, producing numerous variants within a short period. It became notable not only for email propagation and backdoor functionality, but also for its role in botnet-enabled spam operations. Historical reporting linked the Bagle botnet to large-scale pharmaceutical and replica-goods spam campaigns and estimated it accounted for a meaningful share of global spam volume at its peak.
Bagle is also remembered for its rivalry with the Netsky and Mydoom worm families. Variants from these families included antagonistic code comments and, in some cases, routines intended to remove competing malware from infected hosts. This period produced a rapid succession of variants and made Bagle one of the most prominent malware families of the mid-2000s. In threat-classification terms, Bagle is best characterized as an email worm with backdoor capabilities that also functioned as part of a spam botnet ecosystem.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Early January saw a rise in activity from both the Lethic and Bagle spambots... it is currently responsible for about eight to ten per cent of the spam in our traps... The Bagle 2 botnet was only responsible for around 1.9 per cent of spam sent.
The attachment is an executable file with a random file. Once the user executes the file, the virus mails itself to all of the names found on the users hard drive | The new variant arrives in an e-mail with a spoofed sending address and a subject line that contains the term “ID” followed by a string of random characters. The text of the message simply says: “Yours ID” followed by another bunch of random characters. The attachment is an executable file with a random file.
When a user executes Bagle's attachment, the virus puts copies of itself called "bbeagle.exe" into the Windows System folders and adds the following registry keys to allow it to run when the system is started: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, "d3update.exe" = "%system%\bbeagle.exe"
When a user executes Bagle's attachment, the virus puts copies of itself called "bbeagle.exe" into the Windows System folders and adds the following registry keys to allow it to run when the system is started: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, "d3update.exe" = "%system%\bbeagle.exe"
Once running, Bagle will attempt to connect with a PHP script on a series of internally hard-coded web sites.
When the worm is started it connects to a list of predefined web servers and tries to access a PHP file with certain parameters. One of the parameters is the TCP port where the backdoor is listening which suggests that this functionality is used to collect the addresses of infected computers.
Using its own SMTP engine Bagle sends messages with infected attachments to the collected addresses. The SMTP engine uses direct Mail eXchange (MX) lookup on the target domain so it does not depend on email settings of the infected computer.
The virus also listens on port 6777 for a malicious user to connect.
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Bagle is mentioned as another malware family linked to a lookalike domain found during infrastructure pivoting, suggesting possible shared infrastructure or naming patterns.
Malware 2004 Bagle NetSky Sasser Mydoom
Bagle is cited as an early example of the 'MalWare 2.0' model of complex malicious programs.
Bagle is an email-propagating worm family that spreads via infected attachments, harvests email addresses from local files, uses its own SMTP engine to send itself onward, and installs a backdoor listening on TCP port 6777 to provide remote access and download/execute arbitrary programs.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.