A professional-Ukrainian group referred to as Bearlyfy has been attributed to greater than 70 cyber assaults concentrating on Russian corporations because it first surfaced within the menace panorama in January 2025, with latest assaults leveraging a customized Home windows ransomware pressure codenamed GenieLocker.
“Bearlyfy (also referred to as Labubu) operates as a dual-purpose group aimed toward inflicting most harm upon Russian companies; its assaults serve the twin targets of extortion for monetary acquire and acts of sabotage,” Russian safety vendor F6 stated.
The hacking group was first documented by F6 in September 2025 as leveraging encryptors related to LockBit 3 (Black) and Babuk, with early intrusions specializing in smaller corporations earlier than upping the ante and demanding ransoms to the tune of €80,000 (about $92,100). By August 2025, the group had claimed no less than 30 victims.
Starting Might 2025, Bearlyfy actors additionally utilized a modified model of PolyVice, a ransomware household attributed to Vice Society (aka DEV-0832 or Vanilla Tempest), which has a historical past of delivering third-party lockers comparable to Hiya Kitty, Zeppelin, RedAlert, and Rhysida ransomware of their assaults.
Additional evaluation of the menace actor’s toolset and infrastructure uncovers overlaps with PhantomCore, one other group that is assessed to be working with Ukrainian pursuits in thoughts. It is identified to assault Russian and Belarusian corporations since 2022. Past PhantomCore, Bearlyfy can be stated to have collaborated with Head Mare.
Assaults mounted by the group have obtained preliminary entry via the exploitation of exterior providers and susceptible functions, adopted by dropping instruments like MeshAgent to facilitate distant entry and allow encryption, destruction, or modification of knowledge. In distinction, PhantomCore conducts APT-style campaigns, the place reconnaissance, persistence, and information exfiltration take priority.
“The group itself is distinguished by rapid-fire assaults characterised by minimal preparation and swift information encryption; one other distinctive characteristic of those assaults is that ransom notes are usually not generated by the ransomware software program itself, however are as an alternative crafted straight by the attackers,” F6 famous final 12 months.
Bearlyfy’s assaults have confirmed to be a bootleg income era stream. Per F6 information, about one in 5 victims choose to pay the ransom. The preliminary ransom calls for from the adversary is claimed to have escalated additional, reaching a whole lot of hundreds of {dollars}.
Probably the most noteworthy shift within the menace actor’s modus operandi is using a proprietary ransomware household referred to as GenieLocker to focus on Home windows endpoints for the reason that begin of March 2026. GenieLocker’s encryption scheme is impressed by Venus/Trinity ransomware households.
One of the crucial distinctive traits of the ransomware assaults is that the ransom notes are robotically generated by the locker. As an alternative, the menace actors go for their very own strategies to share the following steps with victims, both simply sharing contact particulars or elaborate messages that search to exert psychological stress and drive them into paying up.
“Whereas in its early levels, Bearlyfy members demonstrated an absence of sophistication and had been clearly experimenting with numerous methods and toolsets, inside the span of a single 12 months, this group has advanced right into a veritable nightmare for Russian companies — together with main enterprises,” F6 stated.
