GenieLocker
GenieLocker is a proprietary/custom-built Windows ransomware family used by the pro-Ukrainian threat group Bearlyfy, also known as Labubu, since early March 2026. It targets Windows endpoints and is assessed by F6 to have been developed by Bearlyfy itself. The malware’s encryption scheme and techniques are described as inspired by or borrowing from the Venus and Trinity ransomware families, and F6 also assessed that it includes anti-analysis techniques. In GenieLocker-related intrusions, ransom notes are automatically generated by the locker, although Bearlyfy has also been observed providing payment instructions through separate contact details or psychologically coercive messages. Within Bearlyfy operations, initial access has been obtained by exploiting external services and vulnerable applications, with MeshAgent used for remote access to support encryption, destruction, or modification of victim data. GenieLocker has been deployed in campaigns against Russian companies as part of Bearlyfy’s dual-use model of ransomware extortion and sabotage, with victims including Russian businesses and larger enterprises.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The most noteworthy shift in the threat actor's modus operandi is the use of a proprietary ransomware family called GenieLocker to target Windows endpoints since the start of March 2026.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe group has recently begun deploying its own malware, marking a new stage in its operations. Since early March, Bearlyfy has used a custom-built Windows ransomware strain known as GenieLocker, which researchers believe was developed by the group itself.
Impact
1 techniqueThe group’s primary goals are both financial and political. They appear to be causing “maximum damage” to Russian companies while also generating revenue through ransomware payments. | Bearlyfy has carried out more than 70 cyberattacks against Russian companies over the past year and is now escalating its campaign with newly developed ransomware tools... Since early March, Bearlyfy has used a custom-built Windows ransomware strain known as GenieLocker... Earlier Bearlyfy attacks relied heavily on existing ransomware tools... LockBit 3 Black... On Linux systems, the group deployed a modified version of the Babuk ransomware.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom Windows ransomware strain used by Bearlyfy to encrypt data on victim endpoints. Its encryption scheme is inspired by Venus/Trinity ransomware families, and ransom notes are not automatically generated by the locker.
A custom-built Windows ransomware strain used by Bearlyfy in its more recent operations against Russian companies.
Custom Windows ransomware used by Bearlyfy starting in March 2026. Its cryptographic scheme and approaches are described as clearly borrowed from the Venus/Trinity ransomware families.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.