Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware
Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware
https://thehackernews.com/2026/03/bearlyfy-hits-70-russian-firms-with.html
Publish Date: 2026-03-27 06:04:00
Source Domain: thehackernews.com
A pro-Ukrainian group called Bearlyfy has been attributed to more than 70 cyber attacks targeting Russian companies since it first surfaced in the threat landscape in January 2025, with recent attacks leveraging a custom Windows ransomware strain codenamed GenieLocker.
“Bearlyfy (also known as Labubu) operates as a dual-purpose group aimed at inflicting maximum damage upon Russian businesses; its attacks serve the dual objectives of extortion for financial gain and acts of sabotage,” Russian security vendor F6 said.
The hacking group was first documented by F6 in September 2025 as leveraging encryptors associated with LockBit 3 (Black) and Babuk, with early intrusions focusing on smaller companies before upping the ante and demanding ransoms to the tune of €80,000 (about $92,100). By August 2025, the group had claimed at least 30 victims.
Beginning May 2025, Bearlyfy actors also utilized a modified version of PolyVice, a ransomware family attributed to Vice Society (aka DEV-0832 or Vanilla Tempest), which has a history of delivering third-party lockers such as Hello Kitty, Zeppelin, RedAlert, and Rhysida ransomware in their attacks.
Further analysis of the threat actor’s toolset and infrastructure uncovers overlaps with PhantomCore, another group that’s assessed to be operating with Ukrainian interests in mind. It’s known to attack Russian and Belarusian companies since 2022. Beyond PhantomCore, Bearlyfy is also said to have collaborated with Head Mare.
Attacks mounted by the group have obtained initial access through the exploitation of external services and vulnerable applications, followed by dropping tools like MeshAgent to facilitate remote access and enable encryption, destruction, or modification of data. In contrast, PhantomCore conducts APT-style campaigns, where reconnaissance, persistence, and data exfiltration take precedence.
“The group itself is distinguished by rapid-fire…
