The pro-Ukrainian hacking collective Bearlyfy has executed over 70 cyber attacks against Russian enterprises since its emergence in early 2025, recently deploying a proprietary ransomware known as GenieLocker. Operating with the dual motives of financial extortion and political sabotage, the group has evolved from targeting small businesses to compromising major corporations with ransom demands reaching hundreds of thousands of dollars.
Since its debut in January 2025, the group also identified as Labubu has rapidly scaled its operations against the Russian business sector. Initially, the threat actors utilized leaked or modified versions of established ransomware like LockBit 3 and PolyVice to facilitate their intrusions. By mid-2025, the group had already claimed dozens of victims, steadily increasing their financial demands from five-figure sums to much larger amounts as they shifted their focus toward higher-profile targets.
Technical analysis reveals that Bearlyfy maintains significant ties with other pro-Ukrainian cyber units, including PhantomCore and Head Mare. While they share infrastructure and interests, Bearlyfy is distinguished by its high-velocity approach, often prioritizing swift data encryption over the long-term reconnaissance typical of advanced persistent threat actors. Their tactical evolution shows a transition from experimental, less sophisticated methods to a streamlined workflow that leverages external service vulnerabilities for initial access.
A unique characteristic of this group is their manual approach to victim communication. Unlike many ransomware operations where the software automatically generates a ransom note, Bearlyfy members often craft personalized messages to exert psychological pressure on their targets. This hands-on method persists even as they have modernized their toolkit. Approximately 20 percent of their victims have reportedly paid the ransoms, providing a steady stream of illicit revenue to fund further operations.
The start of March 2026 marked a significant shift in the group’s capabilities with the introduction of GenieLocker. This custom-built ransomware for Windows environments draws inspiration from the encryption schemes of the Venus and Trinity families, representing a move away from third-party tools toward independent development. The adoption of proprietary malware suggests a higher level of technical maturity and a long-term commitment to their campaign of digital disruption.
In just over a year, Bearlyfy has transformed from an unorganized group of experimental hackers into a formidable threat to Russian infrastructure. Security analysts note that their rapid adaptation and willingness to collaborate with other specialized groups have made them a persistent challenge for defenders. As they continue to refine GenieLocker and expand their reach, the group remains a primary example of how politically motivated cyber activity can successfully merge with professional-grade extortion tactics.
Source: https://habr.com/ru/companies/F6/news/1014722/