Discover how NoName057(16) targeted 3,700+ hosts across Europe using its DDoSia platform. This in-depth report reveals multi-tiered C2 infrastructure, attack patterns, and strategic geopolitical motivations behind the hacktivist-led campaign.

Analysis cut-off date: July 17, 2025

Executive Summary

Insikt Group tracked pro-Russian hacktivists “NoName057(16)” targeting more than 3,700 unique hosts over the last thirteen months (July 1, 2024, to July 14, 2025). Targeted hosts were primarily government and public-sector entities in European nations opposing Russia’s invasion of Ukraine. NoName057(16) emerged in March 2022, just days after Russia’s full-scale invasion of Ukraine, and has since waged a sustained, large-scale distributed denial-of-service (DDoS) campaign through its volunteer-driven “DDoSia” platform. The threat group maintains a high operational tempo, averaging 50 unique targets daily, with intense bursts of activity correlating to geopolitical and military developments in Ukraine. In addition, leveraging Recorded Future Network Intelligence and additional methodologies, Insikt Group conducted a comprehensive technical analysis that revealed a multi-tiered infrastructure consisting of rapidly rotated Tier 1 command-and-control (C2) servers and Tier 2 servers protected by access control lists (ACLs) to restrict upstream access and maintain reliable C2 functionality. Finally, pattern-of-life analysis strongly indicates that NoName057(16) conducts its operations from within a Russian time zone.

In the short term, defenders should adopt security best practices by deploying layered DDoS protection, leveraging content delivery networks (CDNs), configuring web application firewalls (WAFs), enforcing network controls such as IP blocking and rate limiting, and establishing a tested incident response plan that includes business continuity, communication, and escalation procedures. These defensive strategies should be complemented by investments in situational awareness to anticipate emerging DDoS campaigns, monitor threat actor activity across forums and coordination channels, and track incidents affecting peer organizations and countries, which often serve as early indicators of broader targeting. Additionally, law enforcement is expected to continue playing a role in countering such activities, as demonstrated by Operation Eastwood between July 14 and 17, 2025, though the long-term effectiveness of such efforts remains uncertain.

Hacktivist-driven DDoS attacks, state-sponsored or state-encouraged pseudo-ransomware operations, disinformation campaigns, acts of physical sabotage, and other asymmetric operations have become a persistent feature of geopolitical conflict deliberately calibrated to remain below the threshold of conventional warfare. Organizations operating in these hybrid warzones — in this case, within NATO-aligned European countries — must prepare for this threat to be a long-term reality. Regardless of the specific geopolitical context, it is increasingly clear that states will both conduct such activities directly and co-opt non-state threat actors to advance their strategic agendas. Accordingly, maintaining close visibility into this evolving threat landscape and monitoring geopolitical tensions should be integral to any effective risk management strategy.

Key Findings

• NoName057(16) has implemented a multi-tiered infrastructure in which Tier 1 C2 servers rapidly refresh, with an average lifespan of nine days. These Tier 1 C2 servers are exclusively permitted to establish connections to Tier 2 servers, which are secured via ACLs.


• From June 2024 to July 2025, NoName057(16) sustained a high and steady operational tempo, launching attacks against an average of 50 unique hosts per day, with activity peaking at 91 in a single day. Over the course of the analysis period, a total of 3,776 distinct hosts were targeted.


• The attacks demonstrated clear geographic concentration, with Ukrainian organizations comprising the largest share of targets (29.47%), followed by allied countries including France (6.09%), Italy (5.39%), and Sweden (5.29%). Notably, the US has not been a primary target of DDoSia, despite its support for Ukraine.


• By sector, the government and public sectors were the most heavily targeted, accounting for 41.09% of all observed attacks. This was followed by the transportation and logistics sectors at 12.44% and the technology, media, and communications sectors at 10.19%.


• NoName057(16)'s operators likely adhere to a standard Russian work schedule as new targets are consistently added in two distinct waves daily, peaking between 05:00 and 07:00 UTC and around 11:00 UTC on weekdays.

Background

NoName057(16)

NoName057(16) is a pro-Russian hacktivist group that emerged in March 2022, shortly after Russia's full-scale invasion of Ukraine. The threat group is known for conducting distributed denial-of-service (DDoS) attacks against Ukraine and its allies, particularly NATO members. The threat group's activities are not financially motivated but are driven by a political agenda rooted in Russian nationalism. NoName057(16) operates a volunteer-based model, recruiting participants via its Telegram channels, providing them with the necessary tools and infrastructure, and rewarding contributors with cryptocurrency.

The threat group's alignment with Russia's strategic interests is clear and functions as an unofficial cyber warfare asset for Russia. This connection is consistently reinforced through the threat group's public communications on Telegram, where it frames its attacks as direct retaliation for actions taken by Russia’s adversaries. For example, NoName057(16) justified attacks on Lithuanian infrastructure as "revenge for Kaliningrad" after the enforcement of EU sanctions, targeted Danish financial institutions for Denmark's support of Ukraine, and attacked Italian websites following "Russophobic" comments by the Italian president. This pattern highlights the threat group's role as digital partisans acting on Russia's geopolitical narrative, aiming to disrupt organizations it deems hostile.

The DDoSia Project

The threat group's primary weapon is a custom DDoS tool named "DDoSia", the successor to an earlier botnet called Bobik. The tool facilitates application-layer DDoS attacks by inundating target websites with a high volume of junk requests. The operational framework surrounding this tool is known as the "DDoSia Project", which encompasses the entire ecosystem of tools, infrastructure, and volunteers. The DDoSia client is a user-friendly, Go-based tool that communicates with a C2 server to obtain a list of targets. Volunteers run the tool on their devices, using a unique "User Hash" as an access key. This key is required to receive targets and contribute to attacks, a method likely intended to hinder analysis by security researchers. The tool is designed to be easy to use, allowing individuals with little to no technical expertise to participate in the threat group's operations.

In this report, “operators” refers to the threat actors responsible for developing the DDoSia Project and creating target lists for NoName057(16), while “volunteers” refer to the individuals who execute attacks using the DDoSia too

Source: RecordedFuture
Source Link: https://www.recordedfuture.com/research/anatomy-of-ddosia