Bearlyfy deploys GenieLocker in ransomware campaign against Russian companies
The pro-Ukrainian hacker group Bearlyfy has carried out more than 70 attacks against Russian companies, escalating from smaller intrusions and modest ransom demands into a broader campaign combining extortion with sabotage. Russian cybersecurity firm F6 said the group, active since January 2025 and also tracked as Labubu, initially relied on leaked ransomware code including LockBit 3 Black, Babuk for Linux, and a modified PolyVice variant before shifting in March to a custom Windows strain called GenieLocker.
F6 said Bearlyfy typically gained access through exposed external services and vulnerable applications, then used tools such as MeshAgent for remote access and to support encryption or destructive activity. Researchers also reported cooperation with the pro-Ukrainian group Head Mare and tooling or infrastructure overlaps with PhantomCore, suggesting ties to a wider ecosystem targeting Russian and Belarusian organizations. The group’s ransom demands reportedly rose from about €80,000 to several hundred thousand dollars, with roughly one in five victims paying, as Bearlyfy expanded from smaller businesses to larger Russian enterprises.
Timeline
Mar 26, 2026
F6 attributes more than 70 attacks to Bearlyfy
By late March 2026, Russian cybersecurity firm F6 said Bearlyfy had carried out more than 70 cyberattacks against Russian companies over the previous year. F6 assessed the group as having evolved into a serious threat to larger Russian enterprises, with ransom demands rising from about €80,000 to hundreds of thousands of dollars.
Mar 1, 2026
Bearlyfy deploys custom GenieLocker ransomware
Since early March 2026, Bearlyfy has used a custom Windows ransomware strain called GenieLocker, which F6 believes the group developed itself. The shift marked an escalation from using leaked code to operating its own ransomware for encryption and destructive attacks.
Jan 1, 2025
Bearlyfy collaborates with Head Mare and shows infrastructure overlaps
F6 observed cooperation between Bearlyfy and the pro-Ukrainian group Head Mare, while also identifying tooling and infrastructure overlaps with PhantomCore. These findings linked Bearlyfy to a broader pro-Ukrainian threat ecosystem targeting Russian and Belarusian entities.
Jan 1, 2025
Bearlyfy conducts early attacks using leaked ransomware code
In its earlier operations during 2025 and before March 2026, Bearlyfy relied on leaked or modified ransomware families including LockBit 3 Black, Babuk for Linux systems, and later a modified PolyVice variant. F6 said the group commonly gained access through exposed external services and vulnerable applications, then used tools such as MeshAgent for remote access and attack execution.
Jan 1, 2025
Bearlyfy emerges and begins targeting Russian companies
According to F6, the pro-Ukrainian group Bearlyfy, also known as Labubu, emerged in January 2025 and started attacking Russian organizations. Its early victims were primarily smaller businesses, and the group paired political sabotage goals with ransomware extortion.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Sources
Related Stories
Ransomware Attack Uncovers Ongoing Espionage in Russian Organizations
Two Russian organizations were simultaneously targeted by separate cyber attack groups, resulting in the exposure of a long-term espionage campaign. The first group, QuietCrabs, believed to be of Asian origin, focused on cyber espionage and maintained a stealthy presence within the victim networks. The second group, known as Thor, attempted to deploy LockBit and Babuk ransomware but was detected early, which inadvertently led to the discovery of QuietCrabs' ongoing activities. Both groups exploited known vulnerabilities in Microsoft SharePoint Server (CVE-2025-53770) and various Ivanti solutions (CVE-2024-21887, CVE-2025-4427, CVE-2025-4428, CVE-2023-38035) to gain initial access. QuietCrabs utilized an ASPX web shell, KrustyLoader malware, and the Sliver C2 implant for persistence and control, while Thor employed tools such as ADRecon, GodPotato, Secretsdump, Mimikatz, Tactical RMM, MeshAgent, and Rclone for lateral movement, privilege escalation, and data exfiltration. The investigation began after Thor's activity was detected, which prevented the ransomware deployment but also revealed the deeper, more persistent espionage threat posed by QuietCrabs. This incident highlights the risk of multiple, unconnected threat actors targeting the same organization and the potential for noisy attacks to expose more covert operations.
1 months ago
LockBit 5.0 Ransomware Expands Cross-Platform Attacks on Windows, Linux, and VMware ESXi
Acronis Threat Research Unit reported active campaigns using **LockBit 5.0**, a major update to the **LockBit** ransomware-as-a-service (RaaS) operation that broadens targeting across **Windows, Linux, and VMware ESXi** in coordinated intrusions. The variant continues **double extortion** (data theft plus encryption) and is positioned for enterprise impact by enabling attackers to hit endpoints, servers, and hypervisors—where a single ESXi compromise can disrupt many virtual machines at once. Reporting also notes the group’s claimed ability to operate against **Proxmox** virtualization environments, further expanding the potential attack surface in organizations adopting alternative hypervisors. Technical analysis highlights stronger and more enterprise-focused builds, with the **Windows** payload using advanced defense-evasion and anti-analysis techniques such as packing/obfuscation, **DLL unhooking**, **process hollowing**, and **ETW (Event Tracing for Windows) patching**, alongside log-clearing to reduce forensic visibility. The **Linux/ESXi** builds are described as less reliant on packing but use extensive string encryption to hinder detection, while maintaining strong encryption routines and using randomized file extensions; Acronis-linked reporting also cites faster encryption and continuity with LockBit 4’s design. Victimology cited in coverage indicates a heavy focus on the **U.S. business sector** and a broad spread across industries (including manufacturing, healthcare, education, financial services, and government), with dozens of recent leak-site postings used to pressure victims and demonstrate ongoing operational tempo despite law-enforcement disruption efforts.
1 months ago
Ransomware and initial-access tradecraft evolves with new evasion and extortion techniques
Reporting and research published in mid-January 2026 highlights continued **high ransomware activity** and rapid evolution in initial-access and evasion tradecraft. A Symantec/Carbon Black Threat Hunter Team study cited by *Help Net Security* reports ransomware actors claimed **4,737 attacks in 2025**, with only brief slowdowns after major disruptions; the abrupt April 2025 shutdown of **RansomHub** was followed by affiliates quickly shifting to other operations, while **LockBit** failed to recover after late-2024 law-enforcement action. The same reporting notes a broader shift toward **extortion models that don’t rely on encryption**, emphasizing data theft and coercion as groups diversify pressure tactics. Multiple technical reports describe how attackers are improving delivery and resilience. *BleepingComputer* says **Gootloader** now uses heavily malformed ZIP files—concatenating **500–1,000** ZIP archives and manipulating ZIP structures (e.g., truncated `EOCD`)—to crash or defeat common analysis tools while still extracting via Windows’ default utility, supporting its role as an initial-access vector often preceding ransomware. *The Register* reports **DeadLock** ransomware uses **Polygon smart contracts** to frequently rotate proxy infrastructure for victim communications (via an HTML wrapper pointing victims to the *Session* messenger), complicating blocking and takedown efforts; Group-IB notes DeadLock also departs from typical double-extortion by lacking a public data-leak site and instead threatening underground data sales. Separately, Microsoft-observed phishing described by *KnowBe4* shows threat actors exploiting **email routing/spoofing misconfigurations** to make phishing appear internal (often leveraging **Tycoon2FA**), while ReliaQuest’s trend report and a separate write-up on **CastleLoader** describe human-driven initial access (spearphishing/drive-by) and social-engineering lures such as **ClickFix** being used to stage loaders and follow-on payloads—underscoring that access-broker and loader ecosystems continue to feed ransomware and broader intrusion activity.
1 months ago