Bearlyfys Strategic Emergence in the Cybersecurity Sphere
Bearlyfy, a pro-Ukrainian hacking collective, surfaced in January 2025, initiating a wave of cyber attacks against Russian companies. This groups operations have been characterized by a dual approach: financial extortion and deliberate sabotage. According to Russian cybersecurity vendor F6, Bearlyfy employs a mix of custom ransomware strains and borrowed encryptors like LockBit 3.0 Black and Babuk to maximize the impact of their incursions. Initially focusing on smaller targets, the group rapidly escalated its demands, demonstrating a clear intent to disrupt Russian business interests.
By August 2025, Bearlyfy had accrued at least 30 victims, showcasing their increasing operational scale. Their evolution from rudimentary techniques to more sophisticated attacks in a short span signals a growing competence. The financial demands imposed by the group have reportedly reached hundreds of thousands of dollars, amplifying their threat both monetarily and operationally.
The Toolset Evolution: From PolyVice to GenieLocker
Bearlyfys arsenal expanded significantly over time, starting with modified versions of existing ransomware families like PolyVice. This variant, tied to the Vice Society group, has been previously linked to delivering third-party lockers such as Hello Kitty and Zeppelin. The adoption of PolyVice marked a tactical upgrade, enabling the group to streamline their destructive activities against Russian enterprises.
In March 2026, Bearlyfy introduced GenieLocker, a proprietary Windows ransomware strain inspired by the encryption schemes of VenusTrinity families. The shift to proprietary tooling suggests a notable investment in custom malware development. Unlike traditional ransomware, GenieLockers attacks are distinguished by manually crafted ransom notes, a strategy aimed at exerting psychological pressure on victims to ensure payment.
Comparative Analysis: Bearlyfy vs. PhantomCore
While Bearlyfy focuses on rapid attacks with minimal preparation, PhantomCore operates with an advanced persistent threat (APT) methodology. PhantomCores campaigns prioritize reconnaissance, persistence, and data exfiltration, often targeting both Russian and Belarusian companies since 2022. Bearlyfy, on the other hand, opts for quick, high-impact strikes designed to disrupt rather than infiltrate deeply.
Interestingly, F6s analysis has revealed overlaps in the toolsets and infrastructure between these two groups, suggesting potential collaboration or shared resources. Further complicating attribution is Bearlyfys alliance with another entity known as Head Mare, which may indicate a broader network of pro-Ukrainian cyber actors working in concert.
Initial Access and Attack Execution
Bearlyfys attacks are initiated through the exploitation of vulnerable external services and applications. Once access is obtained, tools like MeshAgent are deployed to facilitate remote control, data encryption, and modification. This streamlined execution strategy aligns with their overarching goal of inflicting maximum damage in minimal time.
Unlike PhantomCores meticulous APT-style campaigns, Bearlyfys modus operandi is marked by speed and simplicity. The absence of automatically generated ransom notes from their ransomware further underscores their hands-on approach, as attackers craft tailored messages to manipulate victims into compliance.
Financial Impact and Operational Implications
Bearlyfys activities have proven to be a lucrative endeavor, with approximately one in five victims opting to pay the ransom. The groups financial demands have escalated significantly, reflecting a growing confidence in their ability to compel payment. This illicit revenue stream not only funds their operations but also enables further investment in sophisticated tools and techniques.
The introduction of GenieLocker is a clear indication of Bearlyfys intent to refine their capabilities. As they continue to evolve, their operations are likely to pose increasingly complex challenges for cybersecurity professionals tasked with mitigating their impact.