Campaign Overview
The group, also tracked as "Labubu" by some security vendors, has demonstrated a dual-purpose operational model combining financial extortion with destructive sabotage. Their latest campaigns leverage a custom ransomware strain dubbed "GenieLocker," first observed in late February 2026.
Unlike commodity ransomware, GenieLocker employs a hybrid encryption scheme combining ChaCha20 for file encryption with RSA-4096 for key protection. The malware features anti-analysis techniques including VM detection, debugger evasion, and process hollowing.
Initial Access Vectors
Bearlyfy operators have demonstrated proficiency with multiple initial access techniques:
- Spearphishing — Weaponized documents exploiting CVE-2024-38213 (Windows SmartScreen bypass)
- Exposed RDP — Brute-force attacks against internet-facing Remote Desktop services
- Supply Chain — Trojanized updates via compromised Russian software vendors
Post-compromise, the group establishes persistence using scheduled tasks and WMI event subscriptions before deploying Cobalt Strike beacons for lateral movement.
Victim Profile
Analysis reveals a focus on mid-sized Russian enterprises, particularly in manufacturing, logistics, and financial services. Ransom demands have escalated from ~€30,000 in early operations to over €80,000 in recent campaigns.
Attribution
While definitive attribution remains challenging, multiple indicators suggest Ukrainian origins: operational timing aligned with Ukrainian business hours, Ukrainian-language strings in early samples, and explicit pro-Ukrainian messaging in ransom notes.
Defensive Recommendations
- Implement application allowlisting to prevent unauthorized executables
- Disable or restrict RDP access, require VPN for remote administration
- Deploy EDR with ransomware-specific behavioral detection
- Maintain offline, immutable backups tested for restoration