Bearlyfy's GenieLocker Ransomware: Custom Attack Targets Russian Organizations

For General Readers (Journalistic Brief)

Cybercriminals are constantly evolving, and a group known as "Bearlyfy," also referred to as "Labubu," is a prime example of this trend. Since the beginning of 2025, this group has been actively targeting organizations within Russia, launching over 70 attacks. What's particularly concerning is their recent shift: instead of using readily available ransomware tools that cybersecurity researchers might already know how to detect, they've developed their own custom version, named "GenieLocker."

This move to create bespoke ransomware signifies a significant upgrade in Bearlyfy's technical skills and independence. It means they are no longer reliant on third-party tools, making their operations harder to track and defend against. Their goals appear to be a combination of demanding ransoms for data recovery and causing disruptive damage to the operations of their victims.

The development of unique tools like GenieLocker makes it harder for cybersecurity defenses to keep up. It highlights the critical need for robust security strategies that go beyond simple virus scanning, focusing instead on detecting suspicious behavior and being prepared to respond quickly if an attack does occur.

Technical Deep-Dive

1. Executive Summary

The threat actor group "Bearlyfy" (also known as "Labubu") has been actively targeting Russian organizations since January 2025, executing over 70 cyberattacks. Their operational evolution is marked by the deployment of a custom-developed Windows ransomware strain, internally designated "GenieLocker." This transition from utilizing established ransomware families (e.g., LockBit 3, Babuk, PolyVice) to proprietary malware signifies enhanced technical sophistication and operational autonomy. The group's objectives are dual-purpose: financial extortion and disruptive sabotage. The severity of this threat is classified as High due to the potential for widespread data encryption, system disruption, and significant financial impact on affected entities. No specific CVSS score is publicly available for the GenieLocker ransomware itself, as it is a custom payload, not tied to a specific software vulnerability.

2. Technical Vulnerability Analysis

• CVE ID and Details: Not applicable. GenieLocker is a custom ransomware payload, not a vulnerability in a specific software product that would be assigned a CVE. The analysis focuses on the threat actor's Tactics, Techniques, and Procedures (TTPs) and tooling, rather than a specific exploitable software flaw.
• Root Cause (Code-Level): Not publicly disclosed. The article does not provide details on the specific code-level weaknesses within GenieLocker that enable its encryption or evasion capabilities. It only states that its encryption mechanism is "inspired by the encryption methodologies of the Venus and Trinity ransomware families."
• Affected Components: Windows endpoints are the primary target for GenieLocker. The article does not specify particular Windows versions or editions that are more or less susceptible, implying broad compatibility with the Windows operating system.
• Attack Surface: The attack surface is primarily defined by the initial access vectors employed by Bearlyfy, which include the exploitation of internet-facing services and vulnerable applications. Specific CVEs are not detailed. Post-exploitation, the use of legitimate remote access tools like MeshAgent expands the attack surface by establishing Command and Control (C2) channels.

3. Exploitation Analysis (Red-Team Focus)

• Red-Team Exploitation Steps:
  1. Initial Access: Exploit internet-facing services or vulnerable applications. This could involve known unpatched CVEs, misconfigurations in RDP, VPNs, web servers, or other exposed services.
  2. Reconnaissance & Enumeration: Once initial access is gained, the actor performs internal reconnaissance to identify critical assets, user privileges, and network topology using standard Windows enumeration commands and tools.
  3. Persistence & C2 Establishment: Deploy legitimate remote access tools such as MeshAgent to establish a stable Command and Control (C2) channel. This allows for remote execution of commands and data exfiltration/manipulation. MeshAgent typically establishes a connection to its C2 server, often over TCP port 12975 or other configurable ports, using TLS for encrypted communication.
  4. Privilege Escalation (if necessary): If initial access is with low privileges, the actor will attempt to escalate privileges to gain administrative control over critical systems. Techniques may include exploiting local privilege escalation vulnerabilities (e.g., unquoted service paths, weak file permissions on executables, kernel exploits) or abusing misconfigured group policies.
  5. Lateral Movement: Utilize compromised credentials (e.g., via Mimikatz, LSASS dumping), RDP, SMB, or other network protocols (e.g., WinRM) to move across the network and compromise additional systems. Tools like PsExec or Invoke-Command are commonly employed.
  6. Payload Deployment (GenieLocker): Distribute and execute the GenieLocker ransomware payload on targeted endpoints. This can be achieved through scheduled tasks, remote execution, or direct file copy followed by execution.
  7. Encryption: GenieLocker encrypts victim files, rendering them inaccessible. The encryption mechanism is reported to be inspired by Venus and Trinity ransomware, suggesting a likely implementation of hybrid encryption (e.g., AES for bulk data, RSA for key encryption).
  8. Extortion: Instead of automated ransom notes, the actor directly communicates ransom demands and instructions to victims, likely via the established C2 channel (MeshAgent) or alternative out-of-band communication methods (e.g., encrypted email, secure messaging apps).
• What privileges are needed? Initial access can potentially be achieved with no prior privileges (pre-authentication) if exploiting a network-facing vulnerability. However, for effective lateral movement and payload deployment, administrative privileges on target systems are typically required.
• Network requirements? Exploitation of internet-facing services implies network accessibility from the internet. Post-exploitation activities (lateral movement, C2) require internal network connectivity. MeshAgent's C2 communication requires outbound connectivity to its designated server.
• Public PoCs and Exploits: No specific public Proof-of-Concepts (PoCs) or exploits for GenieLocker are mentioned in the source. The article focuses on the actor's TTPs and custom malware.
• Exploitation Prerequisites:
  • Existence of exploitable internet-facing services or vulnerable applications.
  • Successful execution of initial access vector.
  • Potentially, weak credential management or unpatched internal systems for lateral movement.
  • Lack of robust endpoint detection and response (EDR) capabilities to detect MeshAgent deployment or ransomware execution.
  • Absence of application control mechanisms preventing the execution of unauthorized binaries.
• Automation Potential: The initial access and lateral movement phases can be automated to some extent, especially if leveraging known exploits or credential spraying. However, the direct communication of ransom demands suggests a manual or semi-automated approach to victim engagement, which reduces the potential for full automation or worm-like propagation without human intervention in the negotiation phase.
• Attacker Privilege Requirements: Unauthenticated (for initial network-facing exploits) to authenticated administrative privileges (for lateral movement and payload execution).
• Worst-Case Scenario: A successful, widespread deployment of GenieLocker could lead to:
  • Confidentiality: Complete loss of access to encrypted sensitive data. Potential for data exfiltration prior to encryption if the actor also performs data theft.
  • Integrity: Irreversible corruption of data due to encryption.
  • Availability: Complete disruption of business operations across affected systems and services, leading to significant downtime, financial losses, and reputational damage.

4. Vulnerability Detection (SOC/Defensive Focus)

• How to Detect if Vulnerable:

  • Network Scanning: Regularly scan internet-facing assets for known vulnerable services. Tools like Nessus, Qualys, or Nmap scripts can identify specific CVEs or service misconfigurations that could serve as initial access vectors.
  • Endpoint Inventory & Patching Status: Maintain an accurate inventory of all Windows endpoints and their patch levels. Identify systems missing critical security updates for internet-facing applications.
  • Configuration Audits: Audit configurations of internet-facing services (e.g., RDP, VPN gateways, web servers) for insecure settings (e.g., weak cipher suites, outdated protocols, excessive permissions).
  • Presence of MeshAgent: Check for unauthorized installations of MeshAgent. This can be done via endpoint management tools (e.g., SCCM, Intune), by querying installed software lists, or by monitoring process execution.
    • PowerShell command to check for MeshAgent:

      Get-ChildItem -Path "C:\Program Files\MeshAgent", "C:\Program Files (x86)\MeshAgent" -Recurse -Filter "meshagent.exe" -ErrorAction SilentlyContinue | Select-Object FullName, LastWriteTime

• Indicators of Compromise (IOCs):

  • File Hashes: Unknown. GenieLocker is custom, so hashes will vary and need to be derived from observed samples.
  • Network Indicators:
    • Traffic to/from known MeshAgent C2 infrastructure (if identified through threat intelligence).
    • Unusual outbound connections from internal systems to external IPs on non-standard ports, potentially related to C2.
    • DNS queries for suspicious domains associated with C2 infrastructure.
    • TLS handshake anomalies or certificate pinning bypass attempts if the C2 channel is scrutinized.
  • Process Behavior Patterns:
    • Execution of meshagent.exe from unusual directories (e.g., C:\Users\<user>\AppData\Local\Temp\, C:\Windows\Temp\) or with suspicious command-line arguments (e.g., -install, -silent, -run without legitimate installer context).
    • Rapid, high-volume file write and rename operations on user data directories, excluding known system processes. This is indicative of encryption.
    • Execution of unsigned or unknown binaries from temporary directories or user profiles.
    • Spawning of cmd.exe or powershell.exe by meshagent.exe with encoded or obfuscated arguments.
  • Registry/Config Changes: Not publicly disclosed. Ransomware often makes registry changes for persistence (e.g., Run keys, RunOnce keys, Scheduled Tasks) or to disable security features (e.g., Windows Defender exclusions, firewall rules).
  • Log Signatures:
    • Windows Event Logs: Process creation events for meshagent.exe, suspicious PowerShell execution (e.g., encoded commands, specific cmdlets used for enumeration or persistence), failed login attempts, privilege escalation events.
    • Sysmon: Event ID 1 (Process Creation) for meshagent.exe or suspicious file operations. Event ID 11 (FileCreate) or Event ID 23 (FileDelete) in conjunction with high volume and specific file extensions. Event ID 10 (ProcessAccess) for unusual access to LSASS.
    • Firewall Logs: Anomalous outbound connections from endpoints to unexpected external IPs or on non-standard ports.

• SIEM Detection Queries:

  KQL (Azure Sentinel):

  // Detects suspicious MeshAgent installation or execution patterns with EDR telemetry
  DeviceProcessEvents
  | where FileName =~ "meshagent.exe"
  | extend CommandLine = tolower(ProcessCommandLine)
  | where CommandLine contains "-install" or CommandLine contains "-silent" or CommandLine contains "-run"
  | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName, CommandLine
  | where InitiatingProcessFileName !~ "msiexec.exe" and InitiatingProcessFileName !~ "setup.exe" // Basic exclusion for legitimate installers
  | project-reorder Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName

  SPL (Splunk):

  index=* sourcetype=sysmon:eventid=1 (Image="*\\meshagent.exe") (CommandLine="*-install*" OR CommandLine="*-silent*" OR CommandLine="*-run*")
  | stats count by _time, ComputerName, Image, CommandLine, ParentImage, User
  | where ParentImage!="*\\msiexec.exe" AND ParentImage!="*\\setup.exe"
  | table _time, ComputerName, Image, CommandLine, ParentImage, User

  Sigma Rule (Conceptual):

  title: Suspicious MeshAgent Execution
  id: 12345678-abcd-efgh-ijkl-mnopqrstuvwx
  status: experimental
  description: Detects the execution or installation of MeshAgent with suspicious command line arguments, potentially indicating unauthorized remote access tool deployment.
  author: Your Name/Team
  date: 2026/03/27
  references:
    - https://thehackernews.com/2026/03/bearlyfy-hits-70-russian-firms-with.html
  logsource:
    category: process_creation
    product: windows
  detection:
    selection:
      Image|endswith: '\meshagent.exe'
      CommandLine|contains:
        - '-install'
        - '-silent'
        - '-run'
    filter_legit:
      ParentImage|endswith:
        - '\msiexec.exe'
        - '\setup.exe'
    condition: selection and not filter_legit
  falsepositives:
    - Legitimate deployment of MeshAgent via custom installers (requires tuning).
  level: high
  tags:
    - attack.persistence
    - attack.command_and_control
    - ransomware
    - bearlyfy

• Behavioral Indicators:

  • Mass File Modification: Unusually high rate of file writes and renames across user directories, especially for common document, image, and archive file types. Monitor for file extensions being appended or changed.
  • Process Spawning: meshagent.exe spawning unusual child processes or executing commands via cmd.exe or powershell.exe with encoded arguments.
  • Network Anomalies: Outbound connections from endpoints to unexpected external IPs or on non-standard ports, particularly if originating from meshagent.exe.
  • System Configuration Changes: Disabling of security features (e.g., Windows Defender real-time protection, firewall), creation of new scheduled tasks, or modification of registry keys related to system startup or security policies.
  • LSASS Access: Monitoring for processes (other than legitimate system processes like wininit.exe or svchost.exe) accessing the lsass.exe process memory, which is a common technique for credential harvesting.

5. Mitigation & Remediation (Blue-Team Focus)

• Official Patch Information: Not applicable. GenieLocker is custom malware. Mitigation focuses on preventing its deployment and execution, not patching a specific software vulnerability.
• Workarounds & Temporary Fixes:
  • Network Segmentation: Isolate critical systems and sensitive data from the internet and less trusted network segments using firewalls and VLANs. Restrict inter-segment traffic based on the principle of least privilege.
  • Firewall Rules: Block inbound connections to RDP (3389), SMB (445), and other potentially exploitable services from the internet. Implement egress filtering to restrict outbound connections to known malicious IPs/domains and unusual ports.
  • WAF Rules: If web applications are exposed, implement Web Application Firewall (WAF) rules to block common web attack patterns (e.g., SQL injection, XSS, RCE attempts).
  • Disable Unnecessary Services: Turn off or restrict access to any internet-facing services that are not strictly required. Regularly audit running services.
  • Application Control/Whitelisting: Implement application whitelisting (e.g., AppLocker, Windows Defender Application Control) to prevent the execution of unauthorized binaries, including meshagent.exe and the ransomware itself. This is a highly effective control against unknown executables.
  • Endpoint Detection and Response (EDR): Ensure EDR is deployed, configured, and actively monitoring for anomalous process behavior and file modifications. Tune EDR policies to detect MeshAgent execution, suspicious PowerShell usage, and ransomware TTPs (e.g., mass file modification).
  • Disable PowerShell Remoting: If not essential for legitimate administrative tasks, disable PowerShell remoting (WinRM) to prevent its abuse for lateral movement.
  • Principle of Least Privilege: Enforce strict user and service account permissions, ensuring that only necessary privileges are granted.
• Manual Remediation Steps (Non-Automated):
  1. Isolate Infected Systems: Immediately disconnect any suspected compromised systems from the network to prevent further spread. This can be done by disabling network interfaces, disconnecting cables, or using network access control (NAC) solutions.
  2. Identify and Terminate Malicious Processes: Use task manager, Process Explorer, or EDR tools to identify and terminate meshagent.exe or any other suspicious processes. Note the process ID (PID) for further investigation.
  3. Remove Malicious Files: Locate and delete the ransomware executable and any associated dropped files (e.g., configuration files, persistence mechanisms). Common locations include C:\Users\<user>\AppData\Local\Temp\, C:\Windows\Temp\, or custom directories.
  4. Remove Persistence Mechanisms:
     • Scheduled Tasks: Use schtasks /delete /tn "TaskName" /f to remove any newly created scheduled tasks.
     • Registry Run Keys: Use reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EntryName" /f or reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "EntryName" /f to remove entries from the Run keys.
     • Services: Use sc delete "ServiceName" to remove any malicious services.
  5. Restore from Backups: If systems are encrypted, restore data from clean, verified backups. Ensure backups are isolated and immutable to prevent them from being compromised.
  6. Forensic Analysis: Conduct a forensic analysis of compromised systems to understand the full scope of the incident, identify the initial access vector, gather IOCs, and determine the extent of lateral movement.
  7. Reset Compromised Credentials: Force password resets for any user accounts that may have been compromised, especially administrative accounts. Implement multi-factor authentication (MFA) where possible.
• Risk Assessment During Remediation:
  • Data Loss: Risk of permanent data loss if backups are not available, are corrupted, or are also compromised.
  • Business Interruption: Continued downtime if remediation is slow or incomplete. Critical business processes may remain halted.
  • Re-infection: Risk of re-infection if the initial access vector is not fully remediated or if persistence mechanisms are missed.
  • False Positives: Overly aggressive blocking of legitimate processes during remediation can lead to operational disruption and user impact. Careful validation is required.
  • Forensic Integrity: Risk of altering evidence if remediation steps are not performed carefully and systematically.

6. Supply-Chain & Environment-Specific Impact

• CI/CD Impact: Not directly indicated. However, if Bearlyfy were to compromise a CI/CD pipeline, they could inject malicious code into software builds, leading to a supply-chain attack. The current article does not provide evidence of this. Compromising build tools or artifact repositories could allow for the distribution of malicious payloads disguised as legitimate software updates.
• Container/Kubernetes Impact: Not directly indicated. If container images are built from compromised base images or if container orchestration platforms have exposed management interfaces (e.g., Kubernetes API server), they could be targeted. Container isolation effectiveness would depend on the specific configuration and any vulnerabilities within the container runtime (e.g., Docker, containerd) or orchestrator. Exploiting misconfigured Kubernetes RBAC or vulnerable container images could lead to host compromise or lateral movement within the cluster.
• Supply-Chain Implications: The development of custom ransomware indicates a high level of sophistication. While not explicitly stated, it's conceivable that such actors could target software dependencies or development tools if they gain access to the supply chain. The use of legitimate tools like MeshAgent could also be part of a broader strategy to blend in with legitimate administrative activities, making them harder to distinguish from normal network traffic.

7. Advanced Technical Analysis

• Exploitation Workflow (Detailed):
  1. Initial Foothold: Exploitation of a publicly accessible vulnerability (e.g., CVE-2025-XXXX in an exposed web application, weak RDP credentials, unpatched VPN endpoint). This grants initial access to an internal or external-facing system.
  2. Environment Mapping: Utilize standard Windows utilities (ipconfig, netstat, tasklist, systeminfo, quser, qwinsta) and potentially more advanced tools (e.g., BloodHound for Active Directory reconnaissance if domain access is achieved) to understand the local system, network topology, and identify potential targets for lateral movement.
  3. Persistence: Installation of MeshAgent (e.g., meshagent.exe -install -silent) on compromised systems. This establishes a persistent, encrypted C2 channel, allowing the attacker to maintain access and issue commands remotely. The agent typically registers itself as a service or uses other persistence mechanisms.
  4. Credential Harvesting: If administrative privileges are obtained on a system, use tools like Mimikatz, LaZagne, or exploit vulnerabilities (e.g., LSASS memory access) to extract credentials (passwords, NTLM hashes, Kerberos tickets) for user accounts, including domain administrators.
  5. Lateral Movement: Employ harvested credentials with tools like PsExec, WinRM (Invoke-Command), or RDP to access other systems within the network. This phase aims to compromise critical servers, domain controllers, and file shares.
  6. Discovery: Identify critical data stores, file servers, domain controllers, and other high-value targets. This involves network scanning and enumeration of shared resources.
  7. Ransomware Staging: Transfer the GenieLocker executable to target systems. This can be done via SMB shares, PsExec, or other remote execution methods.
  8. Execution: Execute GenieLocker on target systems. This might involve scheduled tasks created remotely, direct remote execution commands, or leveraging Group Policy Objects (GPOs).
  9. Encryption: GenieLocker performs file encryption. Based on its inspiration from Venus and Trinity, it likely uses a hybrid encryption scheme:
     • Symmetric Encryption: AES-256 is a common choice for encrypting the bulk of file data due to its speed.
     • Asymmetric Encryption: RSA (e.g., RSA-2048 or RSA-4096) is likely used to encrypt the AES session keys. The attacker's public RSA key would be embedded in the ransomware, and the victim's encrypted AES keys would be sent to the attacker (or stored for decryption upon payment).
     • The ransomware would iterate through target files, encrypt them, and potentially delete the originals or overwrite them. It may also append a specific file extension to encrypted files.
  10. Communication: Direct communication with victims via the MeshAgent C2 channel or other pre-arranged methods to deliver ransom demands, negotiate payment, and potentially provide decryption keys.
• Code-Level Weakness: Unknown. The article mentions inspiration from Venus and Trinity ransomware, suggesting potential similarities in encryption algorithms or implementation details (e.g., use of specific crypto libraries, error handling for encryption operations), but no specific code patterns are provided.
• Related CVEs & Chaining: Not publicly disclosed. The article focuses on the actor's TTPs, not specific CVEs they exploit. However, it is highly probable that Bearlyfy leverages known, unpatched vulnerabilities for initial access.
• Bypass Techniques: Unknown. The article does not detail how GenieLocker or Bearlyfy's other tools bypass security controls. However, the use of legitimate tools like MeshAgent is a common technique to evade detection by EDR solutions that might flag custom C2 frameworks. Other potential bypass techniques include:
  • Fileless Malware: Executing payloads directly in memory.
  • Obfuscation: Using techniques to hide malicious code from static analysis.
  • Living-off-the-Land Binaries (LOLBins): Abusing legitimate system utilities for malicious purposes.
  • Disabling Security Software: Attempting to disable EDR, antivirus, or Windows Defender.
  • Time-of-Check to Time-of-Use (TOCTOU) Exploits: Exploiting race conditions in security software.

8. Practical Lab Testing

• Safe Testing Environment Requirements:
  • Isolated Network: A completely air-gapped or heavily segmented virtual network environment, disconnected from any production or sensitive networks.
  • Virtual Machines: Multiple Windows VMs (e.g., Windows 10, Windows Server 2019) configured with varying security settings and patch levels to simulate different organizational environments.
  • Network Capture: Tools like Wireshark or tcpdump to monitor network traffic for C2 communication, lateral movement attempts, and data exfiltration.
  • Endpoint Monitoring: Sysmon installed on VMs for detailed process, network, and file system activity logging. EDR simulation tools (if available) or robust logging agents. Process monitoring utilities (e.g., Process Monitor, Process Explorer).
  • Malware Analysis Sandbox: A controlled environment for detonating potential malware samples (if available) to observe behavior without risk.
  • Simulated C2 Server: A controlled server or VM configured to act as a MeshAgent C2 server for testing communication channels.
• How to Safely Test:
  1. Deploy MeshAgent: Install MeshAgent on a test VM and configure a basic C2 server (e.g., a self-hosted instance or a controlled external IP) to simulate C2 communication. Observe its behavior, process creation, network connections, and any persistence mechanisms it establishes.
  2. Simulate Initial Access: If a specific vulnerable application or service is identified as a potential entry point (hypothetically), set it up in the lab and attempt exploitation using known techniques or simulated exploits.
  3. Simulate Ransomware Execution: If a sample of GenieLocker or a similar ransomware is obtained (ethically and legally), execute it within the isolated environment. Observe file encryption, process behavior, any dropped files, and any ransom notes generated.
  4. Test Detection Rules: Run the SIEM queries and Sigma rules developed against the telemetry generated during the above tests to validate their effectiveness in detecting the simulated attack stages.
  5. Test Mitigation Controls: Apply firewall rules, EDR policies, application whitelisting, or other security controls to the test environment and re-run the exploitation/execution steps to verify that the controls prevent or detect the activity.
  6. Lateral Movement Simulation: Using harvested credentials (simulated or obtained in the lab), attempt lateral movement using tools like PsExec or WinRM to access other test VMs.
• Test Metrics:
  • Detection Rate: Percentage of simulated attack stages (initial access, C2, lateral movement, encryption) detected by SIEM rules and EDR.
  • Time to Detect: Average time from attack initiation to the generation of a security alert.
  • Prevention Success: Percentage of simulated attacks successfully blocked by mitigation controls (e.g., application control preventing execution, firewall blocking C2).
  • System Impact: Measure of system performance degradation, resource utilization, or data corruption during simulated attacks.
  • Recovery Time: Time taken to restore systems from backups after simulated encryption, assessing the effectiveness of the backup and restore process.

9. Geopolitical & Attribution Context

• Is there evidence of state-sponsored involvement? The article suggests potential overlaps with PhantomCore, which is assessed to operate with interests aligned with Ukraine, and has been active against Russian and Belarusian entities. This indicates a potential geopolitical motivation, but direct state sponsorship of Bearlyfy is not confirmed. The targeting of Russian organizations in the current geopolitical climate is a significant indicator.
• Targeted Sectors: Russian organizations.
• Attribution Confidence: Low to Medium. Bearlyfy is identified as a specific threat actor. The potential overlap with PhantomCore and the targeting of Russian entities suggest a geopolitical context, but direct attribution to a nation-state is not publicly confirmed. The article notes that Bearlyfy has also been associated with "Head Mare," a group with links to Russian intelligence services, creating a complex attribution landscape.
• Campaign Context: The activity described appears to be part of a broader cyber conflict landscape, potentially linked to the ongoing geopolitical tensions related to the Russian invasion of Ukraine. The development of custom tools like GenieLocker could be a response to increased defensive measures or a desire for greater operational autonomy in a high-stakes environment.
• If unknown: Attribution to a specific nation-state actor is currently unconfirmed. The group exhibits characteristics of both financially motivated cybercrime and potentially state-aligned operations due to its targeting and observed associations.

10. References & Sources

• The Hacker News: https://thehackernews.com/2026/03/bearlyfy-hits-70-russian-firms-with.html
• F6 (Russian security vendor) - Primary source of analysis for Bearlyfy's activities, as referenced in the article.
• Vice Society (DEV-0832, Vanilla Tempest) - Associated with PolyVice ransomware previously used by Bearlyfy.
• PhantomCore - Potential overlap/collaboration with Bearlyfy, assessed to align with Ukrainian interests.
• Head Mare - Reported collaborator with Bearlyfy, with potential links to Russian intelligence services.