Introduction
Bearlyfy has been attributed to over 70 cyber attacks targeting Russian companies since its emergence in January 2025, employing a custom Windows ransomware strain known as GenieLocker. The group operates with dual objectives of extortion and sabotage, utilizing a modified version of PolyVice and leveraging vulnerabilities in external services and applications for initial access. Analysis reveals overlaps with PhantomCore, indicating a pro-Ukrainian interest, while Bearlyfyβs attacks are characterized by minimal preparation and a focus on immediate impact through data encryption and destruction. Approximately 20% of victims reportedly pay the ransom, with demands escalating to hundreds of thousands of dollars.
Activities and Tactics
Country of Origin: πΊπ¦ Ukraine
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- CyberGate
- Cyber Eye RAT
- Windows Remote Desktop
- Minimo
Attribution and Evidence
Country of Origin: Ukraine Additional attribution information pending cataloguing.
References
References pending cataloguing.