A pro-Ukrainian threat group called Bearlyfy — also tracked under the alias Labubu Bear — has been linked to more than 70 cyberattacks against Russian companies since it first appeared in the threat landscape in January 2025. The group's most recent operations deploy a custom Windows ransomware strain codenamed GenieLocker, marking an escalation from earlier disruptive activity to full ransomware deployment.
Who Is Bearlyfy
Bearlyfy (also known as Labubu Bear) is a hacktivist group with a stated pro-Ukrainian political motivation. The group emerged in January 2025 and has been consistently active in targeting Russian commercial enterprises across multiple industry sectors.
Unlike financially motivated ransomware gangs that use encryption for extortion, Bearlyfy's primary objective appears to be disruption and destruction — inflicting operational damage on Russian organizations as part of the broader cyber dimension of the conflict in Ukraine. The development of custom ransomware (GenieLocker) suggests a significant technical capability investment, elevating the group beyond typical opportunistic hacktivists.
GenieLocker Ransomware
GenieLocker is a custom-developed Windows ransomware strain attributed exclusively to Bearlyfy. Key characteristics include:
- Platform: Windows (targeting corporate Windows environments)
- Origin: Custom-built — not a leaked or commercially purchased ransomware-as-a-service (RaaS) builder
- Motivation: Geopolitical disruption rather than financial extortion
- Deployment: Used in targeted attacks against specific Russian companies rather than mass deployment
The use of custom ransomware is a significant indicator of operational maturity. Custom-built strains are tailored to evade detection by specific security products, can be modified between campaigns, and are not shared with other actors — reducing the chance of indicators being pre-populated in threat intelligence feeds from prior RaaS users.
Scale and Targeting
Over 70 attacks against Russian companies since January 2025 represents a sustained operational tempo. The targeting pattern reflects the group's stated objectives — impacting the Russian commercial sector to impose economic and operational costs in parallel with the broader conflict.
Russian industries reported as targets in Bearlyfy-attributed activity span:
- Manufacturing and industrial firms
- Logistics and supply chain companies
- Financial services organizations
- Technology and IT service providers
The breadth of targeting suggests the group is not highly selective in its victim selection beyond the geographic criterion of Russian-based organizations.
Context: Hacktivist Groups in the Russia-Ukraine Conflict
Bearlyfy is one of multiple hacktivist groups that have emerged from or been active in the context of the Russia-Ukraine war. The cyber dimension of the conflict has included:
- Pro-Ukrainian groups targeting Russian infrastructure, companies, and government systems (e.g., Bearlyfy, IT Army of Ukraine)
- Pro-Russian groups targeting Ukrainian and Western organizations (e.g., NoName057(16), KillNet)
- State-sponsored APT activity on both sides targeting critical infrastructure, military, and government systems
The deployment of ransomware by hacktivist groups blurs traditional distinctions between financial cybercrime and ideologically motivated attacks. GenieLocker's purpose appears to be damage, not extortion — but the technical and operational overlap with financially motivated ransomware makes attribution and response more complex.
Implications for Russian Organizations
Russian organizations facing Bearlyfy's operations should consider:
- Offline backups: Ransomware impact is substantially reduced when clean, offline (air-gapped) backups exist. Recovery without paying a ransom or accepting permanent data loss requires backup integrity
- EDR and behavioral detection: Custom ransomware strains lack signatures in many threat intelligence feeds. Behavioral detection of ransomware precursors (mass file modification, shadow copy deletion, privilege escalation) is more reliable than signature-based approaches
- Network segmentation: Limiting lateral movement within corporate networks reduces the blast radius of a successful initial compromise before ransomware deployment
- Incident response readiness: Organizations in sectors targeted by geopolitically motivated actors should maintain tested IR plans and retainers
Key Takeaways
- Bearlyfy is a pro-Ukrainian hacktivist group active since January 2025 with 70+ attacks on Russian companies
- The group has developed GenieLocker, a custom Windows ransomware strain, indicating significant technical capability
- The group's motivation is geopolitical disruption, not financial extortion — making response dynamics different from traditional ransomware incidents
- The sustained operational tempo across 15+ months signals this is an ongoing, persistent campaign rather than a one-time operation
- Custom ransomware development by hacktivist groups represents a maturation of the threat beyond typical DDoS and defacement activity
Source: The Hacker News