A professional-Ukrainian group known as Bearlyfy has been attributed to greater than 70 cyber assaults focusing on Russian corporations because it first surfaced within the menace panorama in January 2025, with latest assaults leveraging a customized Home windows ransomware pressure codenamed GenieLocker.
“Bearlyfy (also referred to as Labubu) operates as a dual-purpose group aimed toward inflicting most harm upon Russian companies; its assaults serve the twin targets of extortion for monetary achieve and acts of sabotage,” Russian security vendor F6 stated.
The hacking group was first documented by F6 in September 2025 as leveraging encryptors related to LockBit 3 (Black) and Babuk, with early intrusions specializing in smaller corporations earlier than upping the ante and demanding ransoms to the tune of €80,000 (about $92,100). By August 2025, the group had claimed a minimum of 30 victims.
Starting Could 2025, Bearlyfy actors additionally utilized a modified model of PolyVice, a ransomware household attributed to Vice Society (aka DEV-0832 or Vanilla Tempest), which has a historical past of delivering third-party lockers resembling Hi there Kitty, Zeppelin, RedAlert, and Rhysida ransomware of their assaults.
Additional evaluation of the menace actor’s toolset and infrastructure uncovers overlaps with PhantomCore, one other group that is assessed to be working with Ukrainian pursuits in thoughts. It is identified to assault Russian and Belarusian corporations since 2022. Past PhantomCore, Bearlyfy can also be stated to have collaborated with Head Mare.
Attacks mounted by the group have obtained preliminary entry by way of the exploitation of exterior companies and susceptible purposes, adopted by dropping instruments like MeshAgent to facilitate distant entry and allow encryption, destruction, or modification of information. In distinction, PhantomCore conducts APT-style campaigns, the place reconnaissance, persistence, and knowledge exfiltration take priority.
“The group itself is distinguished by rapid-fire assaults characterised by minimal preparation and swift knowledge encryption; one other distinctive function of those assaults is that ransom notes should not generated by the ransomware software program itself, however are as an alternative crafted immediately by the attackers,” F6 famous final yr.
Bearlyfy’s assaults have confirmed to be a bootleg income technology stream. Per F6 knowledge, about one in 5 victims choose to pay the ransom. The preliminary ransom calls for from the adversary is alleged to have escalated additional, reaching lots of of hundreds of {dollars}.
Essentially the most noteworthy shift within the menace actor’s modus operandi is the usage of a proprietary ransomware household known as GenieLocker to focus on Home windows endpoints because the begin of March 2026. GenieLocker’s encryption scheme is impressed by Venus/Trinity ransomware households.
Some of the distinctive traits of the ransomware assaults is that the ransom notes are mechanically generated by the locker. As a substitute, the menace actors go for their very own strategies to share the following steps with victims, both simply sharing contact particulars or elaborate messages that search to exert psychological strain and drive them into paying up.
“Whereas in its early phases, Bearlyfy members demonstrated an absence of sophistication and have been clearly experimenting with numerous methods and toolsets, inside the span of a single yr, this group has developed right into a veritable nightmare for Russian companies — together with main enterprises,” F6 stated.
