Ethical Hacking News
Bearlyfy, a Ukrainian group attributed to over 70 cyber attacks targeting Russian firms since January 2025, has been using custom ransomware family GenieLocker to target Windows endpoints. The group's evolution highlights the need for robust cybersecurity measures and vigilance against these types of threats.
Bearlyfy, also known as Labubu, has been attributed to over 70 cyber attacks targeting Russian companies since January 2025. The group operates with dual objectives of extortion for financial gain and acts of sabotage. Bearlyfy's attacks began in September 2025, leveraging encryptors associated with LockBit 3 (Black) and Babuk. The group initially targeted smaller companies before escalating its tactics and demanding ransoms of up to €80,000. Bearlyfy has incorporated tools from other groups, such as PolyVice and PhantomCore, showcasing its ability to adapt and evolve. About one in five victims opt to pay the ransom, generating a lucrative illicit revenue stream for the group. Bearlyfy uses a proprietary ransomware family called GenieLocker to target Windows endpoints since March 2026. The group's attacks are characterized by automatically generated ransom notes and psychological pressure tactics to force victims into paying up.
Cybersecurity experts have been tracking a sophisticated group known as Bearlyfy, which has been attributed to over 70 cyber attacks targeting Russian companies since its emergence in the threat landscape in January 2025. The group, also known as Labubu, operates with dual objectives of extortion for financial gain and acts of sabotage. In this article, we will delve into the world of Bearlyfy, exploring its modus operandi, tools, and tactics used to compromise Windows endpoints, and how it has evolved into a formidable threat against Russian businesses.
According to F6, a Russian security vendor, Bearlyfy's attacks began in September 2025, leveraging encryptors associated with LockBit 3 (Black) and Babuk. The group initially targeted smaller companies before escalating its tactics and demanding ransoms of up to €80,000 (approximately $92,100). By August 2025, the group had claimed at least 30 victims.
In May 2025, Bearlyfy actors also began utilizing a modified version of PolyVice, a ransomware family attributed to Vice Society (aka DEV-0832 or Vanilla Tempest), which has a history of delivering third-party lockers such as Hello Kitty, Zeppelin, RedAlert, and Rhysida ransomware in its attacks. This marks a notable shift in the group's modus operandi, as it begins to incorporate tools from other groups, showcasing its ability to adapt and evolve.
Further analysis reveals overlaps between Bearlyfy's toolset and infrastructure with PhantomCore, another group believed to be operating with Ukrainian interests in mind. PhantomCore is known for conducting APT-style campaigns, where reconnaissance, persistence, and data exfiltration take precedence. This highlights the potential synergy between Bearlyfy and other groups, emphasizing the importance of threat intelligence and collaboration.
Bearlyfy's attacks have proven to be a lucrative illicit revenue stream, with about one in five victims opting to pay the ransom. The initial ransom demands from the adversary has escalated further, reaching hundreds of thousands of dollars. This trend underscores the financial motivations behind Bearlyfy's activities, demonstrating a clear interest in extorting Russian companies for monetary gain.
The most noteworthy shift in the threat actor's modus operandi is the use of a proprietary ransomware family called GenieLocker to target Windows endpoints since the start of March 2026. GenieLocker's encryption scheme is inspired by Venus/Trinity ransomware families, showcasing the group's ability to innovate and develop custom tools.
One of the most distinctive traits of Bearlyfy's ransomware attacks is that the ransom notes are automatically generated by the locker. Instead, the threat actors opt for their own methods to share the next steps with victims, either just sharing contact details or elaborate messages that seek to exert psychological pressure and force them into paying up.
While in its early stages, Bearlyfy members demonstrated a lack of sophistication and were clearly experimenting with various techniques and toolsets. However, within the span of a single year, this group has evolved into a veritable nightmare for Russian businesses -- including major enterprises. F6 notes that while Bearlyfy's attacks have proven to be an illicit revenue generation stream, they also underscore the need for robust cybersecurity measures and vigilance.
In conclusion, Bearlyfy's rise as a sophisticated threat actor highlights the evolving landscape of cyber threats against Russian companies. As we continue to monitor this group's activities, it is essential to recognize the importance of threat intelligence, collaboration, and adaptability in countering these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Bearlyfy-A-Sophisticated-Ukrainian-Group-Behind-a-Wave-of-Custom-Ransomware-Attacks-on-Russian-Firms-ehn.shtml
Published: Fri Mar 27 13:36:56 2026 by llama3.2 3B Q4_K_M
