A pro-Ukrainian hacker group known as Bearlyfy has been linked to more than 70 cyber attacks against Russian companies since its emergence in January 2025. Recent incidents have involved the deployment of a custom Windows ransomware variant called GenieLocker, designed to inflict maximum operational damage on its targets.
Scope and Attribution of the Campaign
Security researchers have attributed the campaign to the group Bearlyfy, which also operates under the alias Labubu. The group’s activities are characterized as dual-purpose, combining disruptive cyber attacks with a clear political motive opposing Russian business interests. The attacks have consistently targeted a range of Russian commercial entities over a sustained period.
The group first appeared on the threat landscape at the beginning of 2025. In the months since, its operations have continued unabated, indicating a persistent and organized effort. The shift to using a custom-built ransomware tool, GenieLocker, marks a significant escalation in the group’s technical capabilities and intent.
Technical Details of GenieLocker
GenieLocker is identified as a bespoke ransomware strain developed for the Windows operating system. While detailed technical specifications of the malware remain under analysis by cybersecurity firms, the use of a custom tool suggests the group has moved beyond relying on widely available or commodity malware. This development typically allows for more targeted attacks and can complicate detection and remediation efforts by standard security software.
The deployment of ransomware represents a specific type of cyber attack where files on a victim’s computer are encrypted, making them inaccessible. Attackers then demand a payment, or ransom, in exchange for the decryption key. In politically motivated attacks, the primary goal is often disruption and destruction rather than financial gain.
Context and Motivations
The cyber conflict between pro-Ukrainian and pro-Russian hacking collectives has been a persistent feature of the digital landscape since the escalation of the ground war in Ukraine. Numerous volunteer hacker groups, often referred to as the “IT Army of Ukraine,” have publicly declared their intent to target Russian infrastructure. Bearlyfy’s stated aim of inflicting maximum damage aligns with this broader pattern of hacktivism.
Such groups often target organizations they perceive as supporting the Russian state or its military efforts. The focus on Russian businesses suggests an economic dimension to the campaign, aiming to disrupt commercial operations and create financial pressure. These activities exist in a legal and ethical gray zone, operating outside official state channels.
Implications for Cybersecurity
The emergence of groups like Bearlyfy utilizing custom malware has significant implications for corporate cybersecurity, particularly for organizations operating in or connected to conflict zones. It underscores the need for robust, layered security defenses that go beyond signature-based detection. Companies are advised to prioritize endpoint detection and response (EDR) solutions, regular offline backups, and comprehensive employee security awareness training.
Furthermore, these incidents highlight the growing trend of geopolitical conflicts extending decisively into cyberspace. Non-state actors now possess the capability to launch sustained, damaging campaigns, blurring the lines between traditional hacktivism and more advanced cyber warfare tactics. This trend presents a complex challenge for international law and national security frameworks.
Ongoing Developments and Outlook
Cybersecurity intelligence firms are continuing to monitor Bearlyfy’s activities and analyze the GenieLocker ransomware. It is expected that the group will continue its campaign against Russian targets, potentially refining its tools and tactics. The Russian government and affected companies have not issued detailed public statements regarding these specific attacks at this time.
In the coming weeks, the cybersecurity community anticipates the release of more detailed technical analyses of the GenieLocker code. This may lead to the development of detection rules and decryption tools by major security vendors. Organizations globally, especially those with ties to regions of geopolitical tension, are likely to review their threat models in response to this evolution in hacktivist tactics.
Source: Various cybersecurity intelligence reports
