Pro-Ukrainian hacking group Bearlyfy has launched 70+ attacks on Russian companies using a new GenieLocker ransomware strain.
A pro-Ukrainian hacking group known as Bearlyfy has carried out cyberattacks against more than 70 Russian companies, deploying a newly developed ransomware strain called GenieLocker, according to cybersecurity researchers.
The group, also tracked under the name Labubu, has been active since January 2025 and is believed to target Russian businesses for both financial gain and political sabotage.
Researchers say Bearlyfy recently introduced a custom Windows ransomware family called GenieLocker, which began appearing in attacks around March 2026. The encryption system used by GenieLocker is reportedly inspired by the Venus and Trinity ransomware families, indicating the group has continued refining its malware toolkit.
Unlike many ransomware strains that automatically generate ransom notes, Bearlyfy operators manually communicate with victims, sending custom instructions or psychological pressure messages to push companies into paying the ransom.
Early Bearlyfy campaigns mainly targeted smaller Russian companies, but over time the group shifted its focus to larger organizations and enterprises. Initial ransom demands were around €80,000 (about $92,000), though later attacks reportedly demanded hundreds of thousands of dollars.
Data from security firm F6 suggests about one in five victims ultimately pay the ransom, making the campaign a profitable operation for the attackers.
Security analysts have also identified infrastructure overlaps between Bearlyfy and another pro-Ukrainian threat group called PhantomCore, which has targeted Russian and Belarusian organizations since 2022. Bearlyfy is also believed to have collaborated with another hacking group known as Head Mare, suggesting coordination between multiple actors operating against Russian targets.
Investigators say the group typically gains access to corporate networks by exploiting exposed services or vulnerable applications. Once inside, attackers deploy remote management tools like MeshAgent to maintain access before launching ransomware attacks that encrypt or destroy data.
Researchers note that Bearlyfy’s operations are often fast and opportunistic, with minimal preparation before launching attacks.
Within just a year of activity, analysts say the group has evolved from a relatively inexperienced actor into a major cyber threat to Russian businesses, including large companies across multiple sectors.
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
