A pro-Ukrainian hacking group known as Bearlyfy has launched over 70 cyber attacks on Russian businesses since its emergence in January 2025. Recently, the group has been deploying a unique ransomware strain named GenieLocker against its targets, according to the cybersecurity firm F6. Bearlyfy’s operations are driven by the dual motives of financial extortion and sabotage.
Bearlyfy’s Evolution and Tactics
Initially identified by F6 in September 2025, Bearlyfy, also referred to as Labubu, utilized encryptors linked to LockBit 3 (Black) and Babuk. Their early campaigns were directed at smaller enterprises, demanding ransoms as high as €80,000 (around $92,100). By August 2025, they had victimized at least 30 entities. In May 2025, the group adopted a modified version of the PolyVice ransomware, commonly used by Vice Society, to enhance their attack strategies.
The group’s methodologies reveal connections to PhantomCore, another collective that supports Ukrainian interests and has targeted Russian and Belarusian companies since 2022. Bearlyfy is also reportedly cooperating with Head Mare. Their attack strategy involves exploiting external services and weak applications to gain initial access, followed by deploying tools like MeshAgent for remote access, enabling data encryption or alteration.
Distinctive Attack Patterns
Bearlyfy is characterized by its rapid and aggressive attack tactics, often requiring minimal preparation. Unlike conventional ransomware operations, the group manually crafts ransom notes to communicate with victims, applying psychological pressure to compel payment. F6 reports that approximately 20% of targets succumb to these demands, with ransom demands escalating to hundreds of thousands of dollars.
In a notable shift, Bearlyfy has developed its proprietary ransomware, GenieLocker, targeting Windows systems since March 2026. This new ransomware family draws inspiration from the Venus and Trinity ransomware families. Despite the automatic generation of ransom notes by the locker itself, Bearlyfy prefers to use personalized methods to communicate with victims, adding an extra layer of coercion.
Impact and Future Developments
Bearlyfy’s evolution from a less sophisticated group to a significant threat underscores its growing capability to disrupt Russian businesses, including large-scale enterprises. Their activities have established a substantial illicit revenue stream, highlighting the urgent need for enhanced cybersecurity measures.
As Bearlyfy continues to refine its techniques and expand its reach, understanding their operational tactics and strengthening defenses against such cyber threats becomes crucial for potential targets. The group’s persistent threat emphasizes the importance of proactive cybersecurity strategies to mitigate risks and protect critical infrastructure.
