A pro-Ukrainian hacking group known as Bearlyfy, also referred to as Labubu, has distinguished itself within the cyber threat landscape since its emergence in January 2025. Over the span of these past months, Bearlyfy has orchestrated over 70 cyber attacks targeting numerous Russian companies, employing sophisticated tactics, including a custom Windows ransomware variant dubbed GenieLocker. This escalation in cyber activities underscores a deliberate strategy aimed at inflicting both financial damage and operational disruption on Russian enterprises.
According to insights from the Russian cybersecurity firm F6, Bearlyfy operates with dual motives: to extort financial resources and to sabotage Russian businesses. This aggressive posture not only highlights the growing sophistication of cyber warfare but also reflects the ongoing geopolitical tensions that drive such cyber activities. The firm’s analysis suggests that the group has adopted a methodical approach to cyber operations, aiming to maximize impact on their targets.
The initial documentation of Bearlyfy’s activities came in September 2025, when it was noted that the group had been utilizing encryption technologies associated with well-known ransomware families such as LockBit 3 (Black) and Babuk. Early in their operations, Bearlyfy primarily targeted smaller businesses, gradually increasing the stakes by demanding hefty ransoms that reached approximately €80,000 (around $92,100). By August of the same year, reports indicated that the group had successfully compromised at least 30 victims.
As Bearlyfy’s operations progressed, the group began employing a modified variant of PolyVice, a ransomware family linked to Vice Society, also known as DEV-0832 or Vanilla Tempest. This particular strain is recognized for its deployment of third-party ransomware solutions, including the notorious Hello Kitty, Zeppelin, RedAlert, and Rhysida. Such adaptations allow Bearlyfy to enhance its arsenal and infiltrate a wider array of targets.
An analysis of Bearlyfy’s toolset reveals notable overlaps with another group identified as PhantomCore, which has been involved in attacking Russian and Belarusian firms since at least 2022. This connection suggests that Bearlyfy is not operating in isolation but rather as part of a broader movement of cyber actors with Ukrainian interests at heart. Additionally, it appears that Bearlyfy has collaborated with another actor, Head Mare, further complicating the landscape of actors involved in this ongoing cyber conflict.
The techniques employed by Bearlyfy to gain initial access to networks include exploiting vulnerabilities in external services and applications, often followed by deploying tools like MeshAgent that facilitate remote access and enable the encryption, destruction, or modification of critical data. In contrast to Bearlyfy’s rapid and aggressive approach, PhantomCore has engaged in more traditional Advanced Persistent Threat (APT) campaigns, focusing on extensive reconnaissance and data exfiltration.
F6 emphasized that Bearlyfy’s operations are characterized by swift executions with minimal preparation. Notably, the group has a unique approach to ransom communications; rather than relying on automated ransom notes generated by the ransomware itself, the bear-labeled hackers craft their own messages aimed at psychologically coercing victims into compliance.
The group’s activities have uncovered a lucrative revenue stream through extortion. Statistics from F6 indicate that roughly one in five victims succumbs to the demands of the attackers, with ransom amounts escalating significantly over time. Initial demands have reportedly surged into the hundreds of thousands of dollars, suggesting a systematic and evolving strategy of financial gain through cyber extortion.
Most striking is Bearlyfy’s recent shift toward utilizing its proprietary ransomware, GenieLocker, which has been specifically tailored to target Windows systems since March 2026. The encryption techniques employed by GenieLocker draw inspiration from established ransomware families such as Venus and Trinity, indicating an evolution in their operational capabilities.
One of the defining characteristics of their ransom strategy is the method of communication with victims. Rather than following conventional practices, Bearlyfy has opted to bypass automated ransom notes entirely, often choosing to convey next steps through direct communication or elaborate messages that seek to instill fear and urgency in victims.
The evolution of Bearlyfy within a short period highlights both the group’s increasing capabilities and the broader implications of cyber warfare in the context of international conflict. F6’s observations illustrate a stark transformation from relatively simple beginnings to a sophisticated entity capable of instigating significant disruption within major Russian enterprises, emphasizing the ongoing risks posed by cyber threats in today’s interconnected world.