A pro‑Ukrainian hacktivist group known as Bearlyfy has been linked to more than 70 cyberattacks against Russian organizations since emerging in the threat landscape in January 2025. Recent operations have involved the deployment of a custom Windows ransomware strain referred to as GenieLocker.
According to Russian cybersecurity firm F6, Bearlyfy also tracked under the alias Labubu functions as a hybrid threat actor. The group’s campaigns pursue two parallel goals: extracting ransom payments while also inflicting deliberate damage on Russian businesses.
“Bearlyfy operates as a dual‑purpose group focused on maximizing harm to Russian companies. Its activity combines financial extortion with acts of sabotage,” F6 stated.
F6 initially documented the group in September 2025, noting its use of encryptors linked to LockBit 3 (Black) and Babuk ransomware families. Early attacks primarily targeted smaller organizations, but the group quickly escalated its operations, issuing ransom demands of up to €80,000 (approximately $92,100). By August 2025, Bearlyfy had publicly claimed responsibility for at least 30 victims.
Starting in May 2025, the group expanded its toolset to include a modified variant of PolyVice, a ransomware strain associated with Vice Society (also known as DEV‑0832 or Vanilla Tempest). Vice Society is known for deploying third‑party ransomware payloads such as Hello Kitty, Zeppelin, RedAlert, and Rhysida, suggesting Bearlyfy adopted similar tactics.
Further examination of Bearlyfy’s infrastructure and tooling has revealed overlaps with PhantomCore, another threat actor believed to be aligned with Ukrainian interests. PhantomCore has been conducting attacks on Russian and Belarusian targets since 2022. In addition to these ties, Bearlyfy is also reported to have collaborated with the threat group Head Mare.
Bearlyfy typically gains initial access by exploiting exposed services and unpatched applications. Following compromise, attackers deploy tools such as MeshAgent to maintain remote control and carry out data encryption, deletion, or manipulation. This approach contrasts with PhantomCore’s methodology, which is characterized by more traditional APT‑style operations emphasizing reconnaissance, persistence, and data exfiltration.
“The group stands out due to its fast‑paced attack cycles, minimal preparation, and rapid encryption,” F6 noted in a previous assessment. “Another unusual aspect is that ransom notes are not automatically generated by the ransomware, but are created manually by the attackers.”
Financially, Bearlyfy’s operations have proven profitable. F6 estimates that roughly 20% of victims choose to pay ransoms. Initial demands have continued to rise, with recent cases reaching hundreds of thousands of dollars.
The most significant evolution in Bearlyfy’s tactics occurred in early March 2026, when the group began deploying its own proprietary ransomware family, GenieLocker, specifically targeting Windows systems. The encryption mechanisms used by GenieLocker appear to draw inspiration from the Venus and Trinity ransomware strains.
One notable deviation from earlier campaigns is that GenieLocker itself does not automatically create ransom notes. Instead, operators communicate instructions through custom messages, ranging from simple contact details to more elaborate statements designed to apply psychological pressure and coerce payment.
“Although Bearlyfy initially showed signs of limited technical maturity and experimentation with different tools, in just one year it has evolved into a serious and disruptive threat to Russian businesses, including large enterprises,” F6 concluded.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
