A pro-Ukrainian group called Bearlyfy has been attributed to more than 70 cyber attacks targeting Russian companies since it first surfaced in the threat landscape in January 2025, with recent attacks leveraging a custom Windows ransomware strain codenamed GenieLocker.
“Bearlyfy (also known as Labubu) operates as a dual-purpose group aimed at inflicting maximum damage upon Russian businesses; its attacks serve the dual objectives of extortion for financial gain and acts of sabotage,” Russian security vendor F6 said.
The hacking group was first documented by F6 in September 2025 as leveraging encryptors associated with LockBit 3 (Black) and Babuk, with early intrusions focusing on smaller companies before upping the ante and demanding ransoms to the tune of €80,000 (about $92,100). By August 2025, the group had claimed at least 30 victims.
Beginning May 2025, Bearlyfy actors also utilized a modified version of PolyVice, a ransomware family attributed to Vice Society (aka DEV-0832 or Vanilla Tempest), which has a history of delivering third-party lockers such as Hello Kitty, Zeppelin, RedAlert, and Rhysida ransomware in their attacks.
Further analysis of the threat actor’s toolset and infrastructure uncovers overlaps with PhantomCore, another group that’s assessed to be operating with Ukrainian interests in mind. It’s known to attack Russian and Belarusian companies since 2022. Beyond PhantomCore, Bearlyfy is also said to have collaborated with Head Mare.
Attacks mounted by the group have obtained initial access through the exploitation of external services and vulnerable applications, followed by dropping tools like MeshAgent to facilitate remote access and enable encryption, destruction, or modification of data. In contrast, PhantomCore conducts APT-style campaigns, where reconnaissance, persistence, and data exfiltration take precedence.
“The group itself is distinguished by rapid-fire attacks characterized by minimal preparation and swift data encryption; another distinctive feature of these attacks is that ransom notes are not generated by the ransomware software itself, but are instead crafted directly by the attackers,” F6 noted last year.
Bearlyfy’s attacks have proven to be an illicit revenue generation stream. Per F6 data, about one in five victims opt to pay the ransom. The initial ransom demands from the adversary is said to have escalated further, reaching hundreds of thousands of dollars.
The most noteworthy shift in the threat actor’s modus operandi is the use of a proprietary ransomware family called GenieLocker to target Windows endpoints since the start of March 2026. GenieLocker’s encryption scheme is inspired by Venus/Trinity ransomware families.
One of the most distinctive traits of the ransomware attacks is that the ransom notes are automatically generated by the locker. Instead, the threat actors opt for their own methods to share the next steps with victims, either just sharing contact details or elaborate messages that seek to exert psychological pressure and force them into paying up.
“While in its early stages, Bearlyfy members demonstrated a lack of sophistication and were clearly experimenting with various techniques and toolsets, within the span of a single year, this group has evolved into a veritable nightmare for Russian businesses — including major enterprises,” F6 said.
