MALWARE FAMILY

BELLHOP

Internal ID: js.bellhop
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

• BELLHOP is a JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).

After performing some basic host information gathering, the BELLHOP dropper downloads a base64-encoded blob of JavaScript to disk and sets up persistence in three ways:

• Creating a Run key in the Registry

• Creating a RunOnce key in the Registry

• Creating a persistent named scheduled task

• BELLHOP communicates using HTTP and HTTPS with primarily benign sites such as Google Docs and PasteBin.

Threat Analysis

BELLHOP is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

js.bellhop

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.