The professional-Russian hacktivist group NoName057(16) has orchestrated an enormous distributed denial-of-service marketing campaign focusing on over 3,700 distinctive hosts throughout 13 months, in accordance with new analysis printed on July 22, 2025.
The group, which emerged in March 2022 shortly after Russia’s full-scale invasion of Ukraine, has maintained an unprecedented operational tempo by launching assaults in opposition to a median of fifty distinctive hosts every day, with exercise peaking at 91 targets in a single day.
The hacktivists primarily targeted their assault on authorities and public-sector entities in European nations opposing Russia’s invasion of Ukraine, with Ukrainian organizations comprising the most important share of targets at 29.47%, adopted by France (6.09%), Italy (5.39%), and Sweden (5.29%).
The marketing campaign demonstrates clear strategic alignment with Russian geopolitical pursuits, functioning as an unofficial cyber warfare asset that frames assaults as direct retaliation for actions taken by Russia’s adversaries.
DDoSia C2 communication circulate (Supply – Recorded Future)
Recorded Future analysts recognized the group’s main weapon as a customized DDoS device named “DDoSia,” the successor to an earlier botnet known as Bobik.
The device facilitates application-layer DDoS assaults by overwhelming goal web sites with excessive volumes of junk requests, working by means of a volunteer-driven mannequin that recruits contributors through Telegram channels and rewards contributors with cryptocurrency.
Technical Infrastructure and Communication Protocol
The DDoSia malware employs a complicated two-step communication course of with shopper registration begins with an HTTP POST request to the /shopper/login endpoint, the place the malware validates authenticity utilizing encrypted payloads secured with AES-GCM encryption.
The encryption key’s dynamically generated utilizing a mixture of the Consumer Hash and Shopper ID, creating a strong authentication mechanism.
The malware’s multi-tiered infrastructure consists of quickly rotating Tier 1 command-and-control servers with a median lifespan of 9 days, completely permitted to determine connections to Tier 2 servers protected by entry management lists.
This structure ensures operational resilience whereas sustaining dependable C2 performance even beneath regulation enforcement stress, as demonstrated throughout Operation Eastwood between July 14-17, 2025, which resulted in arrests and searches throughout six European international locations.
Enhance detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
