New series of Bagles being spammed

Over the course of the last 10 hours or so we’ve seen a number of new Bagle variants.

We’ve just released an urgent update for the fourth spammed Bagle. And just like before these Bagles don’t spread any further.

We have also detected a Bagle which does have email spreading functionality, it sends the spammed samples.

The spammed Bagles arrive in a zip archive as a .cpl file. Most likely with “price” in one of the filenames. The .cpl files are all 14340 bytes in size.

All four variants are equal to each other, the only difference is in the .cpl dropper.
The .cpl file functions as Trojan-Dropper to drop the actual Bagle executable.

The most interesting part of this Bagle case is that the Bagle executable does not work on Windows XP or 2000, it only seems to work on Windows 98.

Currently we can only speculate as to the author’s motives to create malware which will only function on Windows 98.

We detect the .cpl droppers and mailer as Email-Worm.Win32.Bagle.cs, Bagle.ct and
The dropped files are detected as Bagle.cs.

MD5 checksums for the spammed Bagles:


New series of Bagles being spammed

Your email address will not be published. Required fields are marked *



Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Tomiris called, they want their Turla malware back

We continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023, and our telemetry allowed us to shed light on the group. In this blog post, we’re excited to share what we now know of Tomiris with the broader community, and discuss further evidence of a possible connection to Turla.

Subscribe to our weekly e-mails

The hottest research right in your inbox