A pro-Ukrainian threat group named Bearlyfy, also known as Labubu, has been attributed with more than 70 attacks targeting Russian firms, according to F6. Since first surfacing in January 2025, Bearlyfy has used a custom Windows ransomware strain codenamed GenieLocker in its latest operations, marking a shift to targeted, high-stakes intrusions.
The group is described as dual-purpose, pursuing both extortion and sabotage against Russian businesses, and its early campaigns leveraged encryptors tied to LockBit 3 (Black) and Babuk before expanding. Beginning May 2025, Bearlyfy also employed a modified version of PolyVice, a ransomware family associated with Vice Society, with some attacks delivering third‑party lockers such as Hello Kitty and Rhysida.
By August 2025, the group had claimed at least 30 victims, and since then it has continued to escalate, launching GenieLocker-based campaigns on Windows endpoints from the start of March 2026. Bearlyfy’s operations are noted for rapid-fire attacks with minimal preparation, and ransom notes are typically crafted by the attackers themselves rather than generated automatically by the ransomware.