Bearlyfy Targets 70+ Russian Firms with Custom GenieLocker Ransomware

Campaign Overview: Bearlyfy and GenieLocker

Since its emergence in January 2025, a pro-Ukrainian threat actor identified as Bearlyfy (also tracked as Labubu) has executed a series of targeted campaigns against Russian infrastructure. According to The Hacker News, the group has successfully impacted more than 70 Russian firms. The hallmark of these recent operations is the deployment of a custom Windows-based Ransomware strain codenamed GenieLocker. Unlike many financially motivated actors, Bearlyfy appears to operate with a dual-purpose mandate: extracting sensitive data and inflicting maximum operational damage on Russian commercial interests.

The group’s rapid expansion highlights a shift in the TTP used by volunteer or ideologically motivated actors, moving away from simple DDoS attacks toward more sophisticated, persistent intrusions. By utilizing custom-developed malware, Bearlyfy avoids the common signatures associated with widespread Ransomware-as-a-Service (RaaS) kits, presenting a unique challenge for traditional EDR solutions and signature-based detection mechanisms. The group primarily gains initial access through Phishing campaigns that deliver malicious payloads tailored to exploit organizational trust.

GenieLocker Ransomware Technical Analysis

GenieLocker is a bespoke encryption tool written specifically for Windows environments. Technical analysis indicates that the malware is designed for speed and efficiency in file destruction. Once the Phishing link or attachment is executed, the ransomware begins identifying critical directories and databases. This GenieLocker ransomware technical analysis reveals that the actor prioritizes the encryption of proprietary data and logistical records, which maximizes the impact on business continuity.

Unlike traditional ransomware groups that maintain a C2 infrastructure for lengthy negotiations, Bearlyfy’s use of GenieLocker often leans toward destructive outcomes. While the malware includes ransom note functionality, the geopolitical motivations of the group suggest that recovery is secondary to the disruption of the target. This behavior aligns with the activities of other ideologically driven groups that use Ransomware as a facade for wiper-like activity, ensuring that even if a ransom were considered, the technical hurdles to restoration remain high.

### How to detect GenieLocker ransomware infections

Detecting Bearlyfy group cyber attacks on Russian firms requires a multi-layered monitoring strategy that looks beyond file hashes. Because the group frequently iterates on its codebase, IoC lists based on file hashes may become stale quickly. Defenders should focus on behavioral indicators that align with the MITRE ATT&CK framework, specifically monitoring for unusual process spawning from common office applications or the sudden mass modification of file extensions.

Network-level detection should focus on identifying the initial Phishing delivery phase and subsequent Lateral Movement. Security teams can utilize SIEM platforms to correlate PowerShell execution with external network connections to unknown or recently registered domains. Additionally, the execution of GenieLocker typically involves the termination of backup services and the deletion of Volume Shadow Copies, which are high-fidelity alerts that a SOC analyst should investigate immediately.

Mitigations and Strategic Defense

To defend against GenieLocker and similar custom ransomware threats, organizations must adopt a Zero Trust architecture that limits the ability of a single compromised workstation to impact the entire network. Ensuring that backups are stored in an immutable or air-gapped environment is the most effective defense against the destructive nature of these attacks.

Defenders should prioritize the following actions:

• Email Security: Implement advanced threat protection to scan for malicious macros and suspicious URLs in incoming communications.
• Endpoint Hardening: Disable unnecessary administrative tools like PowerShell for non-technical users and restrict the use of administrative privileges.
• Detection Engineering: Create alerts for the use of vssadmin.exe to delete shadow copies or the modification of boot configuration data (BCD).
• Incident Response: Regularly test disaster recovery plans to ensure that restoration from offline backups is feasible within operational timelines.

While the current focus of Bearlyfy remains on Russian firms, the techniques and custom tools they employ provide a blueprint for other ideologically motivated actors worldwide. Continuous monitoring of emerging TTP is essential for maintaining a resilient security posture.