Full Report
A pro-Ukrainian group called Bearlyfy has been attributed to more than 70 cyber attacks targeting Russian companies since it first surfaced in the threat landscape in January 2025, with recent attacks leveraging a custom Windows ransomware strain codenamed GenieLocker. "Bearlyfy (also known as Labubu) operates as a dual-purpose group aimed at inflicting maximum damage upon Russian businesses;
Analysis Summary
# Threat Actor: Bearlyfy
## Attribution & Identity
* **Actor Name:** Bearlyfy
* **Aliases:** Labubu
* **Group Type:** Pro-Ukrainian, dual-purpose (extortion and sabotage).
* **Known Associations:**
* **PhantomCore:** Shared infrastructure and toolset overlaps; both target Russian/Belarusian interests.
* **Head Mare:** Reported collaboration on cyber operations.
* **Vice Society (Vanilla Tempest):** Utilized ransomware variants (PolyVice) historically associated with this group.
## Activity Summary
Bearlyfy emerged in January 2025 and has rapidly evolved from an unsophisticated group targeting small companies to a major threat for large Russian enterprises. As of March 2026, the group has conducted over 70 cyber attacks. Initial campaigns utilized leaked or third-party builders (LockBit 3, Babuk), but the group transitioned to utilizing custom-developed ransomware in early 2026.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of external-facing services and vulnerable applications (T1190, T1133).
* **Execution & Remote Access:** Deployment of **MeshAgent** to facilitate remote management and post-exploitation activities.
* **Data Impact:** Rapid-fire encryption and destruction of data aimed at inflicting maximum operational damage.
* **Manual Ransom Delivery:** Distinctively, ransom notes were historically not generated by the malware itself but were manually delivered by attackers to exert psychological pressure.
* **Phased Evolution:** Shifted from "minimal preparation" attacks to more sophisticated operations involving custom payloads.
## Targeting
* **Sectors:** Widely across Russian business sectors, ranging from small firms to "major enterprises."
* **Geography:** Russia (primary focus) and Belarus (via associated group PhantomCore).
* **Victims:** Over 70 Russian companies (specific names not disclosed in the text).
## Tools & Infrastructure
* **Custom Ransomware:** **GenieLocker** (Windows-based, encryption scheme inspired by Venus/Trinity families).
* **Third-Party Ransomware:** PolyVice (modified), LockBit 3 (Black), Babuk, Hello Kitty, Zeppelin, RedAlert, and Rhysida.
* **Remote Admin Tools:** MeshAgent.
* **Infrastructure:** Overlaps with PhantomCore infrastructure (specific defanged IPs/domains were not provided in the source text).
## Implications
Bearlyfy represents a significant shift in the "hacktivist" landscape, moving from simple DDoS or defacement to high-impact ransomware operations. Their successful monetization (a 20% payment rate) provides a self-sustaining financial model for pro-Ukrainian cyber operations. The development of custom ransomware (GenieLocker) indicates increasing technical maturity and a long-term commitment to targeting Russian infrastructure.
## Mitigations
* **External Surface Management:** Patch and secure all external-facing applications and services to prevent initial access via exploits.
* **Remote Access Monitoring:** Monitor for unauthorized installations of legitimate remote management tools like MeshAgent.
* **Endpoint Defense:** Deploy EDR solutions capable of detecting behavior associated with LockBit, Babuk, and Venus/Trinity encryption schemes.
* **Backup Strategy:** Maintain offline, immutable backups to counter the group's "dual-purpose" objective of data destruction and sabotage.
* **Authentication:** Enforce strict Multi-Factor Authentication (MFA) on all external services to mitigate the risk of credential-based entry.