MALWARE FAMILY
BELLHOP
Internal ID: js.bellhop
1
aliases
Last seen:Mar 17, 2026
Intelligence Profile
• BELLHOP is a JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).
After performing some basic host information gathering, the BELLHOP dropper downloads a base64-encoded blob of JavaScript to disk and sets up persistence in three ways:
• Creating a Run key in the Registry
• Creating a RunOnce key in the Registry
• Creating a persistent named scheduled task
• BELLHOP communicates using HTTP and HTTPS with primarily benign sites such as Google Docs and PasteBin.
Threat Analysis
BELLHOP is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.
External References
Quick Facts
TypeMalware Family
Aliases1
Also Known As
js.bellhop
Research Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.