Bearlyfy Hits 70+ Russian Firms with Custom GenieLocker Ransomware

Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware Ravie LakshmananMar 27, 2026Threat Intelligence / Vulnerability A pro-Ukrainian group called Bearlyfy has been attributed to more than 70 cyber attacks targeting Russian companies since it first surfaced in the threat landscape in January 2025, with recent attacks leveraging a custom Windows ransomware strain codenamed GenieLocker. "Bearlyfy (also known as Labubu) operates as a dual-purpose group aimed at inflicting maximum damage upon Russian businesses; its attacks serve the dual objectives of extortion for financial gain and acts of sabotage," Russian security vendor F6 said. The hacking group was first documented by F6 in September 2025 as leveraging encryptors associated with LockBit 3 (Black) and Babuk, with early intrusions focusing on smaller companies before upping the ante and demanding ransoms to the tune of €80,000 (about $92,100). By August 2025, the group had claimed at least 30 victims. Beginning May 2025, Bearlyfy actors also utilized a modified version of PolyVice, a ransomware family attributed to Vice Society (aka DEV-0832 or Vanilla Tempest), which has a history of delivering third-party lockers such as Hello Kitty, Zeppelin, RedAlert, and Rhysida ransomware in their attacks.  Further analysis of the threat actor's toolset and infrastructure uncovers overlaps with PhantomCore, another group that's assessed to be operating with Ukrainian interests in mind. It's known to attack Russian and Belarusian companies since 2022. Beyond PhantomCore, Bearlyfy is also said to have collaborated with Head Mare. Attacks mounted by the group have obtained initial access through the exploitation of external services and vulnerable applications, followed by dropping tools like MeshAgent to facilitate remote access and enable encryption, destruction, or modification of data. In contrast, PhantomCore conducts APT-style campaigns, where reconnaissance, persistence, and data exfiltration take precedence. "The group itself is distinguished by rapid-fire attacks characterized by minimal preparation and swift data encryption; another distinctive feature of these attacks is that ransom notes are not generated by the ransomware software itself, but are instead crafted directly by the attackers," F6 noted last year. Bearlyfy's attacks have proven to be an illicit revenue generation stream. Per F6 data, about one in five victims opt to pay the ransom. The initial ransom demands from the adversary is said to have escalated further, reaching hundreds of thousands of dollars. The most noteworthy shift in the threat actor's modus operandi is the use of a proprietary ransomware family called GenieLocker to target Windows endpoints since the start of March 2026. GenieLocker's encryption scheme is inspired by Venus/Trinity ransomware families. One of the most distinctive traits of the ransomware attacks is that the ransom notes are automatically generated by the locker. Instead, the threat actors opt for their own methods to share the next steps with victims, either just sharing contact details or elaborate messages that seek to exert psychological pressure and force them into paying up. "While in its early stages, Bearlyfy members demonstrated a lack of sophistication and were clearly experimenting with various techniques and toolsets, within the span of a single year, this group has evolved into a veritable nightmare for Russian businesses -- including major enterprises," F6 said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Cyber Attack, cybersecurity, data encryption, Malware, ransomware, Threat Intelligence, Vulnerability, windows security Trending News Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Load More ▼ Popular Resources Guide - Discover How to Validate AI Risks With Adversarial Testing Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures