APT / THREAT GROUP

BELLHOP

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

• BELLHOP is a JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).

After performing some basic host information gathering, the BELLHOP dropper downloads a base64-encoded blob of JavaScript to disk and sets up persistence in three ways:

• Creating a Run key in the Registry

• Creating a RunOnce key in the Registry

• Creating a persistent named scheduled task

• BELLHOP communicates using HTTP and HTTPS with primarily benign sites such as Google Docs and PasteBin.

Threat Analysis

BELLHOP is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

BELLHOPjs.bellhop

External Intelligence

Malpedia: js.bellhop

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.