MalwareRansomwareUsed by 2 actors

PolyVice

PolyVice is a ransomware family attributed in the provided content to the Vice Society ransomware-as-a-service operation, also known as DEV-0832 and Vanilla Tempest. The content states that Vice Society has historically delivered third-party lockers including Hello Kitty, Zeppelin, RedAlert, and Rhysida. Beginning in May 2025, the pro-Ukrainian threat group Bearlyfy, also known as Labubu, used a modified or slightly modified version of PolyVice in some attacks. Those campaigns targeted Russian companies as part of Bearlyfy operations assessed as combining financially motivated ransomware extortion with sabotage. In the described intrusions, Bearlyfy reportedly obtained initial access by exploiting external services and vulnerable applications, used MeshAgent for remote access, and then leveraged access to enable encryption, destruction, or modification of victim data. The content does not provide PolyVice-specific technical indicators or detailed encryption behavior beyond its use as ransomware in these attacks.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Vanilla Tempest

Beginning May 2025, Bearlyfy actors also utilized a modified version of PolyVice, a ransomware family attributed to Vice Society.

via the hacker newsthehackernews.com

Bearlyfy

Beginning May 2025, Bearlyfy actors also utilized a modified version of PolyVice, a ransomware family attributed to Vice Society.

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique

T1486Data Encrypted for ImpactEvidence2

TacticImpact

The most noteworthy shift in the threat actor's modus operandi is the use of a proprietary ransomware family called GenieLocker to target Windows endpoints since the start of March 2026.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Mar 27, 2026

Bearlyfy Hits 70+ Russian Firms with Custom GenieLocker Ransomware

A ransomware family, used in modified form by Bearlyfy, and attributed in the article to Vice Society.

habrNews

Mar 25, 2026

Bearlyfy выпустили джинна: F6 проанализировала свежие атаки группы / Хабр

A slightly modified version of the PolyVice ransomware was used in some Bearlyfy attacks beginning in May 2025; it is described as part of the Vice Society RaaS program.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.