A Notorious Cyber Group Targeting Russian Companies
An active cyber group known as Bearlyfy has made headlines for orchestrating over 70 cyber attacks directed at Russian businesses since its emergence in the cybersecurity landscape in January 2025. The group has recently been linked to the deployment of a customized Windows ransomware strain dubbed GenieLocker.
According to reports from Russian security firm F6, Bearlyfy, also referred to as Labubu, operates with a dual motive of extorting financial gains from its targets while simultaneously causing disruption and sabotage to their operations.
F6 first identified the activities of Bearlyfy in September 2025, noting their use of encryption tools associated with LockBit 3 (Black) and Babuk. Initially targeting smaller enterprises, the group gradually escalated their operations, demanding hefty ransoms amounting to €80,000 (approximately $92,100) from affected organizations. By August 2025, Bearlyfy had victimized at least 30 entities.
Since May 2025, Bearlyfy has expanded its arsenal by incorporating a modified version of PolyVice, a ransomware strain attributed to Vice Society (also known as DEV-0832 or Vanilla Tempest). This new variant has been associated with delivering various third-party lockers such as Hello Kitty, Zeppelin, RedAlert, and Rhysida ransomware in their attacks.
Further investigations into Bearlyfy’s tactics and infrastructure have revealed connections to PhantomCore, another group believed to operate with Ukrainian interests in mind. PhantomCore has been targeting Russian and Belarusian companies since 2022 and is known to collaborate with entities like Head Mare.
The group’s infiltration tactics involve exploiting vulnerabilities in external services and applications to gain initial access. They then deploy tools like MeshAgent to establish remote access, enabling them to encrypt, destroy, or manipulate data. In contrast, PhantomCore’s operations are characterized by advanced persistent threats (APTs) that involve thorough reconnaissance, persistence, and data exfiltration.
Notably, Bearlyfy’s attacks are marked by rapid execution and swift data encryption, with ransom notes personally crafted by the attackers rather than generated by the ransomware software itself. F6’s analysis indicates that approximately one in five victims opt to pay the ransom, with initial demands escalating to hundreds of thousands of dollars.
The most recent development in Bearlyfy’s tactics is the utilization of a proprietary ransomware strain named GenieLocker, specifically designed to target Windows systems since March 2026. The encryption methods employed by GenieLocker draw inspiration from the Venus/Trinity ransomware families.
Unique to Bearlyfy’s ransomware attacks is the personalized approach taken by the threat actors in communicating with victims. Rather than relying on automated ransom notes, the group prefers direct contact with victims, often employing psychological tactics to coerce them into compliance.
Despite their initial lack of sophistication, Bearlyfy has rapidly evolved into a formidable threat to Russian enterprises within a short span of time. Their relentless pursuit of illicit gains and disruptive activities pose a significant challenge to businesses of all sizes in the region.
