Anatomy of DDoSia: NoName057(16)'s DDoS Infrastructure and Targeting
Analysis cut-off date: July 17, 2025
Executive Summary
Insikt Group tracked pro-Russian hacktivists “NoName057(16)” targeting more than 3,700 unique hosts over the last thirteen months (July 1, 2024, to July 14, 2025). Targeted hosts were primarily government and public-sector entities in European nations opposing Russia’s invasion of Ukraine. NoName057(16) emerged in March 2022, just days after Russia’s full-scale invasion of Ukraine, and has since waged a sustained, large-scale distributed denial-of-service (DDoS) campaign through its volunteer-driven “DDoSia” platform. The threat group maintains a high operational tempo, averaging 50 unique targets daily, with intense bursts of activity correlating to geopolitical and military developments in Ukraine. In addition, leveraging Recorded Future Network Intelligence and additional methodologies, Insikt Group conducted a comprehensive technical analysis that revealed a multi-tiered infrastructure consisting of rapidly rotated Tier 1 command-and-control (C2) servers and Tier 2 servers protected by access control lists (ACLs) to restrict upstream access and maintain reliable C2 functionality. Finally, pattern-of-life analysis strongly indicates that NoName057(16) conducts its operations from within a Russian time zone.
In the short term, defenders should adopt security best practices by deploying layered DDoS protection, leveraging content delivery networks (CDNs), configuring web application firewalls (WAFs), enforcing network controls such as IP blocking and rate limiting, and establishing a tested incident response plan that includes business continuity, communication, and escalation procedures. These defensive strategies should be complemented by investments in situational awareness to anticipate emerging DDoS campaigns, monitor threat actor activity across forums and coordination channels, and track incidents affecting peer organizations and countries, which often serve as early indicators of broader targeting. Additionally, law enforcement is expected to continue playing a role in countering such activities, as demonstrated by Operation Eastwood between July 14 and 17, 2025, though the long-term effectiveness of such efforts remains uncertain.
Hacktivist-driven DDoS attacks, state-sponsored or state-encouraged pseudo-ransomware operations, disinformation campaigns, acts of physical sabotage, and other asymmetric operations have become a persistent feature of geopolitical conflict deliberately calibrated to remain below the threshold of conventional warfare. Organizations operating in these hybrid warzones — in this case, within NATO-aligned European countries — must prepare for this threat to be a long-term reality. Regardless of the specific geopolitical context, it is increasingly clear that states will both conduct such activities directly and co-opt non-state threat actors to advance their strategic agendas. Accordingly, maintaining close visibility into this evolving threat landscape and monitoring geopolitical tensions should be integral to any effective risk management strategy.
Key Findings
- NoName057(16) has implemented a multi-tiered infrastructure in which Tier 1 C2 servers rapidly refresh, with an average lifespan of nine days. These Tier 1 C2 servers are exclusively permitted to establish connections to Tier 2 servers, which are secured via ACLs.
- From June 2024 to July 2025, NoName057(16) sustained a high and steady operational tempo, launching attacks against an average of 50 unique hosts per day, with activity peaking at 91 in a single day. Over the course of the analysis period, a total of 3,776 distinct hosts were targeted.
- The attacks demonstrated clear geographic concentration, with Ukrainian organizations comprising the largest share of targets (29.47%), followed by allied countries including France (6.09%), Italy (5.39%), and Sweden (5.29%). Notably, the US has not been a primary target of DDoSia, despite its support for Ukraine.
- By sector, the government and public sectors were the most heavily targeted, accounting for 41.09% of all observed attacks. This was followed by the transportation and logistics sectors at 12.44% and the technology, media, and communications sectors at 10.19%.
- NoName057(16)'s operators likely adhere to a standard Russian work schedule as new targets are consistently added in two distinct waves daily, peaking between 05:00 and 07:00 UTC and around 11:00 UTC on weekdays.
Background
NoName057(16)
NoName057(16) is a pro-Russian hacktivist group that emerged in March 2022, shortly after Russia's full-scale invasion of Ukraine. The threat group is known for conducting distributed denial-of-service (DDoS) attacks against Ukraine and its allies, particularly NATO members. The threat group's activities are not financially motivated but are driven by a political agenda rooted in Russian nationalism. NoName057(16) operates a volunteer-based model, recruiting participants via its Telegram channels, providing them with the necessary tools and infrastructure, and rewarding contributors with cryptocurrency.
The threat group's alignment with Russia's strategic interests is clear and functions as an unofficial cyber warfare asset for Russia. This connection is consistently reinforced through the threat group's public communications on Telegram, where it frames its attacks as direct retaliation for actions taken by Russia’s adversaries. For example, NoName057(16) justified attacks on Lithuanian infrastructure as "revenge for Kaliningrad" after the enforcement of EU sanctions, targeted Danish financial institutions for Denmark's support of Ukraine, and attacked Italian websites following "Russophobic" comments by the Italian president. This pattern highlights the threat group's role as digital partisans acting on Russia's geopolitical narrative, aiming to disrupt organizations it deems hostile.
The DDoSia Project
The threat group's primary weapon is a custom DDoS tool named "DDoSia", the successor to an earlier botnet called Bobik. The tool facilitates application-layer DDoS attacks by inundating target websites with a high volume of junk requests. The operational framework surrounding this tool is known as the "DDoSia Project", which encompasses the entire ecosystem of tools, infrastructure, and volunteers. The DDoSia client is a user-friendly, Go-based tool that communicates with a C2 server to obtain a list of targets. Volunteers run the tool on their devices, using a unique "User Hash" as an access key. This key is required to receive targets and contribute to attacks, a method likely intended to hinder analysis by security researchers. The tool is designed to be easy to use, allowing individuals with little to no technical expertise to participate in the threat group's operations.
In this report, “operators” refers to the threat actors responsible for developing the DDoSia Project and creating target lists for NoName057(16), while “volunteers” refer to the individuals who execute attacks using the DDoSia too
Operation Eastwood
Operation Eastwood, carried out between July 14, 2025, and July 17, 2025, involved international law enforcement actions against the NoName057(16) hacktivist group. These efforts included two arrests (one preliminary arrest in France and one in Spain), seven arrest warrants issued (six by Germany and one by Spain), and 24 house searches across the Czech Republic (Czechia), France, Germany, Italy, Poland, and Spain.
In response to Operation Eastwood, the official Telegram account of NoName057(16) dismissed the law enforcement operation, urging followers not to believe "all this nonsense of foreign special services" and reaffirmed its continued commitment to the information war in support of Russia.
Threat/Technical Analysis
DDoSia Communication
Insikt Group’s analysis of the DDoSia client noted a two-step process for obtaining the target list from the C2 server. The process begins with an initial client registration and authentication, after which the client fetches the encrypted target list. The entire DDoSia communication flow is illustrated in Figure 1.
Figure 1: DDoSia C2 communication flow (Source: Recorded Future)
Stage 1: Client Login and Registration
The DDoSia client initiates communication by sending an HTTP POST request to the C2 server’s /client/login endpoint. This request registers the client with the C2 server and validates its authenticity.
The request headers are designed to mimic legitimate browser traffic, using a randomized legitimate User-Agent string. A key component of the request is the Cookie header, which contains two critical values:
- User Hash (U): A unique identifier for the volunteer, this hash is provided to the volunteer in a
client_id.txtfile after they register via the DDoSia Project’s Telegram Bot (t[.]me/DDosiabot) - Client ID (C): A unique identifier for the specific client instance, generated by the bot as a UUID4 and appended with the process ID of the running executable
The body of the POST request contains a JSON payload with detailed system information of the client machine (see Figure 2). This information includes the SystemUserName, OS, KernelVersion, PlatformFamily, and CPUCores, among other details.
POST /client/login HTTP/1.1
Host: 38.180.143[.]83
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [LinkedInApp]/9.28.7586
Content-Length: 515
Accept: text/html,application/xhtml+xml,application/xml,
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Cookie: U=<REDACTED>; C=<REDACTED>
{"body":"Eo+B/j5dX0s7QoVL+74DQxkUqE460PLgskFIPfAKzr4DHK6hpoYbe74kkXJLub9OSKfStA1mrXv4757OygFXvR89IYbjay9rzxdpNBMWEaQYag7SE6z4Ge3iqnMvN3rGRvrUI50cqcbl0Jzbav7Kmzvt3k0H+eYgwjOI8OnG3Fuuhp+xOkPjakOmJkLrJJOTompsrIsiK7dbtFG08xp8R04S+YnCqCgRufYpHmQLJ0IpNy4+MKyfpzDL0bv46SSqcLZuFZdZHzaUdRjHCAglbdGNYDMeO8FU93xWbh6k/3KPk8u5pXgSHNvLc11Ly+EddgeWjJr8qZDRr/N/HL3bhLLNqBFKKOj04aWnbg7FdspSbyF7OReIAEr2utUc7eKAPbc6eXa2g5YcsclgdCJ1ofc0SvNZ7wiXdnkI11XRTAvaX/drsLvjAJmJ58YF2H471mVvaBIjGmV2N8ig1ErdoHRegy7F0F1x5b6SHbcLQ5KL836olsl/722a"}
Figure 2: Client login POST request (Source: Recorded Future)
—
This payload is encrypted using AES-GCM before being sent to the C2 server. The encryption key is dynamically generated using a combination of the User Hash and the Client ID. The decrypted value of the body field in Figure 2 can be seen in Figure 3.
{
"key": "<REDACTED>",
"user": "<REDACTED>",
"client": "<REDACTED>",
"inf": {
"SystemUserName": "DESKTOP-QOG2741",
"OS": "windows",
"KernelVersion": "10.0.19041.2965 Build 19041.2965",
"KernelArch": "x86_64",
"PlatformFamily": "Standalone Workstation",
"CPUCores": 8,
"RegisterTime": "2025-07-10T14:22:18.134954+01:00",
"TimeZone": "CEST"
}
}
Figure 3: Decrypted client login payload (Source: Recorded Future)
—
Upon successful validation, the C2 server responds with a 200 OK status and a body containing a UNIX timestamp (As seen in Figure 4), which is not required in subsequent requests.
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 14 Jun 2024 15:18:17 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 19
Connection: keep-alive
1718378297196554765
Figure 4: C2 server response to login request (Source: Recorded Future)
Stage 2: Fetching Targets
After successfully registering, the client proceeds to the second stage: fetching the list of attack targets. It sends an HTTP GET request to the /client/get_targets endpoint.
The headers for this request are similar to the first, but the Cookie header is updated to include a third parameter K. This K value is a randomly generated, Base32-encoded 256-byte sequence.
GET /client/get_targets HTTP/1.1
Host: 38[.]180[.]143[.]83
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1
Accept: text/html,application/xhtml+xml,application/xml,
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Cookie: U=<REDACTED>; C=<REDACTED>; K=NUYZ6Z7M42<REDACTED>DMA6NLJ4YAM======
Figure 5: GET request for attack targets (Source: Recorded Future)
The C2 server responds with a JSON object containing the attack targets. This data is encrypted using the same AES-GCM algorithm and key from the login stage. The client decrypts this response to retrieve the plaintext JSON configuration, which contains the list of targets to be targeted in the DDoS attack.
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 14 Jun 2024 15:18:17 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 549871
Connection: keep-alive
{"data":"aCeegN8A+CvFX11L17b8dZpk67zwVZtTMR8R0ZhDrn3rNpFTq55dyjJ2pw8etiyLlW3SIr8c3XVcmBpjzNXdHZYyqi8SVByLp4clIi+7gGT84…<REDACTED>.../rblN+dJq8037tw9y7HtnapY887JRLFP0ao83w1YYed3jvjwFWWCu0vMvTjjKzuxXPDFb8KXWUMJw=="}
Figure 6: Encrypted C2 response with target list (Source: Recorded Future)
The decrypted plaintext is a JSON object containing two primary keys: targets and randoms. The targets key holds an array of objects, each defining a specific attack destination. Every target object includes details such as a target_id, host, port, and the attack type (for example, http2). The randoms key contains an array of objects that define parameters for generating random data to append to requests. This is likely a technique to add variability to the attack traffic, helping to bypass simple filtering mechanisms and caching. For example, one object specifies generating an 11-digit numerical string, which could be used as a random parameter in a URL (see Figure 7).
{
"targets": [
{
"target_id": "64865791f747b0b90020d960",
"request_id": "64865791f747b0b90020d961",
"host": "<REDACTED>",
"ip": "<REDACTED>",
"type": "http2",
"method": "GET",
"port": 443,
"use_ssl": true,
"path": "",
"body": {
"type": "str",
"value": ""
},
"headers": null
},
...
],
"randoms": [
{
"name": "\u0422\u0435\u043b\u0435\u0444\u043e\u043d",
"id": "62d8286fddcbb37b0c77c87f",
"digit": true,
"upper": false,
"lower": false,
"min": 11,
"max": 11
},
...
]
}
Figure 7: Decrypted JSON object containing attack targets (Source: Recorded Future)
To read the entire analysis, click here to download the report as a PDF.