A pro-Ukrainian threat group known as Bearlyfy, also referred to as Labubu, has been linked to more than 70 cyberattacks targeting Russian companies since it first appeared in January 2025.
According to reporting from The Hacker News, the group has recently been observed using a custom Windows ransomware strain called GenieLocker. The malware represents a new stage in Bearlyfy’s activity, after earlier campaigns involved other ransomware tools and modified variants connected to known ransomware families.
The group was first documented by Russian security vendor F6 in September 2025. At the time, Bearlyfy was reported to be using encryptors associated with LockBit 3.0 and Babuk. Early attacks focused mainly on smaller companies, before the group expanded its operations and increased ransom demands.
By August 2025, the group had claimed at least 30 victims. Later activity showed the use of a modified version of PolyVice, a ransomware family previously associated with Vice Society. Researchers also reported overlaps between Bearlyfy’s tools and infrastructure and other threat groups, including PhantomCore and Head Mare.
Bearlyfy’s attacks reportedly begin through exposed external services and vulnerable applications. After gaining access, the attackers have used remote access tools such as MeshAgent to support encryption, destruction, or modification of data.
The recent use of GenieLocker appears to be one of the most notable changes in the group’s operations. The ransomware has been used against Windows endpoints since March 2026, and its encryption approach is said to be inspired by the Venus and Trinity ransomware families.
Researchers noted that the group has developed quickly over the past year. While its early activity appeared less sophisticated, Bearlyfy has since evolved into a more organized ransomware operation targeting larger Russian businesses.
Source: The Hacker News.