Bearlyfy deploys GenieLocker in ransomware campaign against Russian companies
The pro-Ukrainian hacker group Bearlyfy has carried out more than 70 attacks against Russian companies, escalating from smaller intrusions and modest ransom demands into a broader campaign combining extortion with sabotage. Russian cybersecurity firm F6 said the group, active since January 2025 and also tracked as Labubu, initially relied on leaked ransomware code including LockBit 3 Black, Babuk for Linux, and a modified PolyVice variant before shifting in March to a custom Windows strain called GenieLocker.
F6 said Bearlyfy typically gained access through exposed external services and vulnerable applications, then used tools such as MeshAgent for remote access and to support encryption or destructive activity. Researchers also reported cooperation with the pro-Ukrainian group Head Mare and tooling or infrastructure overlaps with PhantomCore, suggesting ties to a wider ecosystem targeting Russian and Belarusian organizations. The group’s ransom demands reportedly rose from about €80,000 to several hundred thousand dollars, with roughly one in five victims paying, as Bearlyfy expanded from smaller businesses to larger Russian enterprises.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
F6 attributes more than 70 attacks to Bearlyfy
By late March 2026, Russian cybersecurity firm F6 said Bearlyfy had carried out more than 70 cyberattacks against Russian companies over the previous year. F6 assessed the group as having evolved into a serious threat to larger Russian enterprises, with ransom demands rising from about €80,000 to hundreds of thousands of dollars.
Bearlyfy deploys custom GenieLocker ransomware
Since early March 2026, Bearlyfy has used a custom Windows ransomware strain called GenieLocker, which F6 believes the group developed itself. The shift marked an escalation from using leaked code to operating its own ransomware for encryption and destructive attacks.
Bearlyfy collaborates with Head Mare and shows infrastructure overlaps
F6 observed cooperation between Bearlyfy and the pro-Ukrainian group Head Mare, while also identifying tooling and infrastructure overlaps with PhantomCore. These findings linked Bearlyfy to a broader pro-Ukrainian threat ecosystem targeting Russian and Belarusian entities.
Bearlyfy conducts early attacks using leaked ransomware code
In its earlier operations during 2025 and before March 2026, Bearlyfy relied on leaked or modified ransomware families including LockBit 3 Black, Babuk for Linux systems, and later a modified PolyVice variant. F6 said the group commonly gained access through exposed external services and vulnerable applications, then used tools such as MeshAgent for remote access and attack execution.
Bearlyfy emerges and begins targeting Russian companies
According to F6, the pro-Ukrainian group Bearlyfy, also known as Labubu, emerged in January 2025 and started attacking Russian organizations. Its early victims were primarily smaller businesses, and the group paired political sabotage goals with ransomware extortion.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Bearlyfy Hits 70+ Russian Firms with Custom GenieLocker Ransomware
thehackernews.com
Open sourcePro-Ukraine hacker group Bearlyfy targets Russian companies with custom ransomware | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Crypt Ghouls Used Shared Ransomware Tooling Against Russian Organizations
Researchers reported that a ransomware group tracked as **Crypt Ghouls** targeted Russian businesses and government agencies across mining, energy, finance, retail, and public-sector organizations. The group reportedly gained initial access through compromised contractor VPN credentials, then established persistence with **NSSM** and **Localtonet**, harvested credentials using **XenAllPasswordPro** and **Mimikatz**, and expanded access with reconnaissance and lateral-movement tools including **PingCastle**, **SoftPerfect Network Scanner**, **WMI**, **Impacket** `WmiExec.py`, and **PAExec`. The attackers deployed **LockBit 3.0** on Windows systems and **Babuk** on Linux and **ESXi** environments, indicating a multi-platform ransomware capability. Researchers also found overlaps in tooling, infrastructure, and tactics with activity linked to **MorLock**, **BlackJack**, **Twelve**, and **Shedding Zmiy/(Ex)Cobalt**, suggesting collaboration, shared tooling, or intelligence exchange among multiple groups focused on Russian targets.
May 21, 2026
Pro-Ukrainian Hacktivists Expand Exchange Intrusions Into CIS and Middle East
Kaspersky reported that several interconnected pro-Ukrainian hacktivist groups, including **4BID**, **Hacker kiт**, **C.A.S**, and **Goffee**, expanded attacks beyond Russia and Belarus to targets in **Kazakhstan, the UAE, Syria, and Egypt**. Victims included government entities, healthcare organizations, and the aviation sector. Researchers said the intrusions commonly began with exploitation of Microsoft Exchange **ProxyShell** vulnerabilities, followed by deployment of the `fd.aspx` ASP.NET web shell, execution of PowerShell or `cmd.exe`, reconnaissance, and installation of remote-management tools such as AnyDesk, Dev Tunnels, Panorama9, Tactical RMM, and Nezha Monitoring. The campaigns used a broad post-compromise toolkit that mixed public C2 frameworks and custom malware, including **Sliver**, **Havoc**, **Mythic Apollo**, **AdaptixC2**, **BlackSalt** backdoor, **Warp RAT**, **BlackReaperRAT**, **ClearWater** ransomware, and an updated **Blackout Locker**. Investigators also observed BYOVD-based EDR killers, including modified EDRKiller variants and GhostDriver, along with signs that some delivery scripts may have been AI-generated. ClearWater was seen encrypting files with **ChaCha20** and **RSA-2048**, dropping ransom notes, changing wallpapers, and deleting recovery artifacts, while Blackout Locker added a persistent screen-locking feature, reinforcing researchers' assessment that the actors are shifting from politically branded hacktivism toward financially motivated operations.
Jun 11, 2026
Egregor Ransomware Used Cobalt Strike and Rclone in Double-Extortion Attacks
The **Egregor** ransomware operation carried out double-extortion attacks by stealing sensitive data, encrypting victim systems, and threatening to publish stolen information on a leak site if victims refused to pay. Researchers linked Egregor to an ecosystem associated with **Sekhmet** and possible former **Maze** affiliates, with additional reported ties to **ProLock** and **LockBit**. Victims cited in reporting included **GEFCO**, **Barnes & Noble**, and **Ubisoft**, while the group’s leak site reportedly listed **152 victim companies** across industries including information technology, construction, retail, consumer goods, and automotive. Intrusions commonly began with **phishing** or **RDP exploitation**, after which attackers used **Cobalt Strike** for payload delivery and in some cases leveraged **QBot** and living-off-the-land tools such as `bitsadmin`. The malware used heavily obfuscated DLL payloads with **Salsa20**-encrypted configuration data, required a sample-specific launch key passed with the `-p` parameter, and encrypted files with **ChaCha** and **RSA-2048**. Researchers also observed the group using **Rclone** with attacker-supplied configuration data to exfiltrate stolen files, while the ransomware appeared to avoid encrypting systems configured with several CIS-region languages.
Mar 29, 2024