A pro-Ukrainian group called Bearlyfy has been implicated in more than 70 cyberattacks targeting Russian companies since first emerging into the threat world in January 2025, with the most recent attacks leveraging a custom Windows ransomware strain codenamed GenieLocker.
Russian security vendor F6 said: “Bearlyfy (also known as Labubu) operates as a dual-purpose group aiming to cause maximum damage to Russian companies. Its attacks serve the dual purpose of extortion and sabotage for financial gain.”
The hacking group was first documented by F6 in September 2025 as leveraging encryption equipment associated with LockBit 3 (Black) and Babuk, and its initial intrusions focused on small businesses before raising deposits and demanding ransoms as high as 80,000 euros (approximately $92,100). By August 2025, the group had claimed at least 30 victims.
Starting in May 2025, Bearlyfy attackers also utilized a modified version of PolyVice, a ransomware family attributed to Vice Society (also known as DEV-0832 or Vanilla Tempest). It has a history of delivering third-party lockers such as Hello Kitty, Zeppelin, RedAlert, and Rhysida ransomware in its attacks.
Further analysis of the threat actor’s toolset and infrastructure reveals overlap with PhantomCore, another group assessed to be operating with Ukraine’s interests in mind. It has been known to attack companies in Russia and Belarus since 2022. Besides PhantomCore, Bearlyfy is said to be working with Head Mare.
The attacks launched by this group exploited external services and vulnerable applications to gain initial access and then dropped tools such as MeshAgent that facilitated remote access and allowed data to be encrypted, destroyed, or modified. In contrast, PhantomCore runs APT-style campaigns, where reconnaissance, persistence, and data exfiltration are prioritized.
“The group itself is distinguished by rapid-fire attacks that are characterized by minimal preparation and rapid data encryption. Another feature of these attacks is that the ransom note is not generated by the ransomware software itself, but directly by the attackers,” F6 noted last year.
Bearlyfy attacks have proven to be an illegal revenue source. According to F6 data, approximately 1 in 5 victims choose to pay the ransom. Initial ransom demands from adversaries reportedly escalated further, reaching hundreds of thousands of dollars.
The most notable change in threat actor modus operandi is the use of a unique ransomware family called GenieLocker to target Windows endpoints since early March 2026. GenieLocker’s encryption scheme is inspired by the Venus/Trinity ransomware family.
One of the most distinctive features of a ransomware attack is that a ransom note is automatically generated by the locker. Instead, threat actors choose their own methods to share next steps with victims. Choose between simply sharing your contact details or complex messages that try to use psychological pressure to force you to pay.
“In the early stages, Bearlyfy members showed a lack of sophistication and were clearly experimenting with different technologies and toolsets, but within a year, the group evolved into a veritable nightmare for Russian companies, including major ones,” F6 said.
Source link
