Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware - The Hacker News

Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware Ravie LakshmananMar 27, 2026Threat Intelligence / Vulnerability A pro-Ukrainian group called Bearlyfy has been attributed to more than 70 cyber attacks targeting Russian companies since it first surfaced in the threat landscape in January 2025, with recent attacks leveraging a custom Windows ransomware strain codenamed GenieLocker. "Bearlyfy (also known as Labubu) operates as a dual-purpose group aimed at inflicting maximum damage upon Russian businesses; its attacks serve the dual objectives of extortion for financial gain and acts of sabotage," Russian security vendor F6 said. The hacking group was first documented by F6 in September 2025 as leveraging encryptors associated with LockBit 3 (Black) and Babuk, with early intrusions focusing on smaller companies before upping the ante and demanding ransoms to the tune of €80,000 (about $92,100). By August 2025, the group had claimed at least 30 victims. Beginning May 2025, Bearlyfy actors also utilized a modified version of PolyVice, a ransomware family attributed to Vice Society (aka DEV-0832 or Vanilla Tempest), which has a history of delivering third-party lockers such as Hello Kitty, Zeppelin, RedAlert, and Rhysida ransomware in their attacks.  Further analysis of the threat actor's toolset and infrastructure uncovers overlaps with PhantomCore, another group that's assessed to be operating with Ukrainian interests in mind. It's known to attack Russian and Belarusian companies since 2022. Beyond PhantomCore, Bearlyfy is also said to have collaborated with Head Mare. Attacks mounted by the group have obtained initial access through the exploitation of external services and vulnerable applications, followed by dropping tools like MeshAgent to facilitate remote access and enable encryption, destruction, or modification of data. In contrast, PhantomCore conducts APT-style campaigns, where reconnaissance, persistence, and data exfiltration take precedence. "The group itself is distinguished by rapid-fire attacks characterized by minimal preparation and swift data encryption; another distinctive feature of these attacks is that ransom notes are not generated by the ransomware software itself, but are instead crafted directly by the attackers," F6 noted last year. Bearlyfy's attacks have proven to be an illicit revenue generation stream. Per F6 data, about one in five victims opt to pay the ransom. The initial ransom demands from the adversary is said to have escalated further, reaching hundreds of thousands of dollars. The most noteworthy shift in the threat actor's modus operandi is the use of a proprietary ransomware family called GenieLocker to target Windows endpoints since the start of March 2026. GenieLocker's encryption scheme is inspired by Venus/Trinity ransomware families. One of the most distinctive traits of the ransomware attacks is that the ransom notes are automatically generated by the locker. Instead, the threat actors opt for their own methods to share the next steps with victims, either just sharing contact details or elaborate messages that seek to exert psychological pressure and force them into paying up. "While in its early stages, Bearlyfy members demonstrated a lack of sophistication and were clearly experimenting with various techniques and toolsets, within the span of a single year, this group has evolved into a veritable nightmare for Russian businesses -- including major enterprises," F6 said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Cyber Attack, cybersecurity, data encryption, Malware, ransomware, Threat Intelligence, Vulnerability, windows security Trending News Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities The Hidden Security Risks of Shadow AI in Enterprises Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released Your MTTD Looks Great. Your Post-Alert Gap Doesn't Popular Resources Discover Key AI Security Gaps CISOs Face in 2026 How to Identify Risky Browser Extensions in Your Organization Fix Rising Application Security Risks Driven by AI Development Automate Alert Triage and Investigations Across Every Threat