Bearlyfy

Bearlyfy, also known as Labubu, is a pro-Ukrainian threat group that has been attributed by F6 to more than 70 cyber attacks against Russian companies since emerging in January 2025. F6 describes the group as a dual-purpose actor pursuing both financial extortion and sabotage, with operations intended to inflict maximum damage on Russian business while also generating ransomware revenue. The group initially targeted smaller Russian companies but later expanded to larger enterprises, and F6 assessed it became a major threat to Russian business within about a year. Bearlyfy has used multiple ransomware families and variants over time. Early attacks used LockBit 3 (Black) and Babuk-derived encryptors, including a modified Babuk variant for Linux systems. Beginning in May 2025, the group used a modified PolyVice variant. Since March 2026, Bearlyfy has used self-developed ransomware, including a custom Windows ransomware family called GenieLocker. F6 assessed that GenieLocker borrows cryptographic schemes and approaches from the Venus and Trinity ransomware families and includes anti-analysis techniques. According to F6, Bearlyfy commonly gains initial access by exploiting external services and vulnerable applications. The group has deployed MeshAgent for remote access and then used that access to enable encryption, destruction, or modification of victim data. F6 characterized its operations as rapid-fire attacks with minimal preparation and swift encryption. Bearlyfy often delivers ransom notes separately rather than generating them directly through the ransomware, although GenieLocker-related attacks can automatically generate notes. Some ransom messages are minimal and contain only contact details, while others include mocking or psychologically coercive language intended to pressure victims. F6 reported that Bearlyfy’s ransom demands increased from roughly €80,000 in earlier campaigns to hundreds of thousands of dollars, and that about one in five victims paid. F6 also identified overlaps between Bearlyfy’s tooling and infrastructure and PhantomCore, and reported collaboration with the more experienced pro-Ukrainian group Head Mare, while assessing that Bearlyfy maintains a distinct operational style.