{
	"id": "a504b3cf-c8f0-4c8c-bce3-923b4915d8ae",
	"created_at": "2026-04-06T00:16:39.012501Z",
	"updated_at": "2026-04-10T13:12:46.242665Z",
	"deleted_at": null,
	"sha1_hash": "09aea7615605abaf4cac5fec05118aa3e01d9c41",
	"title": "Pro-Russian Group Targeting Ukraine Supporters with DDoS Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3207772,
	"plain_text": "Pro-Russian Group Targeting Ukraine Supporters with DDoS\r\nAttacks\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 12:47:03 UTC\r\nIt has now been six months since the war in Ukraine began. Since then, pro-Russian and pro-Ukrainian hacker\r\ngroups, like KillNet, Anonymous, IT Army of Ukraine, Legion Spetsnaz RF, have carried out cyberattacks. A\r\nlesser-known group called NoName057(16) is among the pro-Russian groups attacking Ukraine and the countries\r\nsurrounding it and siding with Ukraine.\r\nNoName057(16) is performing DDoS attacks on websites belonging to governments, news agencies, armies,\r\nsuppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine\r\nand neighboring countries supporting Ukraine, like Ukraine itself, Estonia, Lithuania, Norway, and Poland. A full\r\nlist of the group’s targets can be found at the end of this post. \r\nTo carry out DDoS attacks, hacker groups utilize botnets. They control them via C\u0026C servers, sending commands\r\nto individual bots, which essentially act as soldiers. Uncovering and tracking botnets is complex and time-consuming.\r\nWe got our hands on malware called Bobik. Bobik is not new, it’s been around since 2020, and is known as a\r\nRemote Access Trojan. Things have, however, recently changed. Devices infected with Bobik are now part of a\r\nbotnet, and carrying out DDoS attacks for NoName057(16). We can confidently attribute the attacks to the group,\r\nas we have analyzed and compared what the C\u0026C server is instructing devices infected with Bobik to do with the\r\nattacks the group claims to be responsible for on their Telegram channel.\r\nToolset\r\nThe bots used by the botnet are infected with malware called Bobik, which is written in .NET. The malware has\r\nnot been tied to a certain group in the past, and is actually a Remote Access Trojan. Its spyware functionalities\r\ninclude keylogging, running and terminating processes, collecting system information, downloading/uploading\r\nfiles, and dropping further malware onto infected devices.\r\nKill Chain\r\nIn the wild, one of the most monitored droppers for Bobik is RedLine Stealer, a botnet-as-a-service cybercriminals\r\ncan pay for to spread their malware of choice. The usual workflow of Bobik is illustrated in the image below.\r\nAt first, an unknown group seems to have purchased RedLine Stealer to deploy – Bobik. The final DDoS module\r\ndeployment is composed of two basic stages. The first executes Bobik’s Updater via a RedLine Stealer bot. In the\r\nsecond stage, Bobik’s Updater extracts and drops the final DDoS module (Bobik’s RuntimeBroker) and ensures the\r\nmodule’s persistence.\r\nhttps://decoded.avast.io/martinchlumecky/bobik/\r\nPage 1 of 16\n\nBobik deployment\r\nWhen RuntimeBroker is run, the module contacts a C\u0026C server and downloads a configuration file defining\r\ntargets for DDoS attacks. The module then starts the attacks using a defined count of threads, usually five threads.\r\nThe detailed workflow of the Bobik deployment is shown below. The RedLine Stealer Cryptic (installer)\r\ndeobfuscates the .NET payload of Bobik’s Updater and injects it into the newly created process of the .NET\r\nClickOnce Launch Utility ( AppLaunch.exe ); see steps 1 – 5.\r\nBobik deployment using RedLine Stealer Cryptic\r\nThe same process is used to execute Bobik’s RuntimeBroker (the DDoS module), because the dropped\r\nRuntimeBroker is also packaged and obfuscated via RedLine Stealer Cryptic. Therefore, the dropped Bobik’s\r\nRuntimeBroker also deobfuscates the .NET payload of Bobik’s RuntimeBroker and injects it into another\r\nhttps://decoded.avast.io/martinchlumecky/bobik/\r\nPage 2 of 16\n\nAppLaunch process; see steps 6 – 8. After all these steps, the Bobik’s DDoS module is deployed, persistent, and\r\nready to attack.\r\nC\u0026C Servers and Communication\r\nSince June 1, 2022, we have observed Bobik’s network activities. Bobik bots communicate with C\u0026C servers\r\nlocated in Russia and Romania. These two servers are already offline. However, another Romanian server is still\r\nactive and able to send commands to the bots.\r\nC\u0026C Servers\r\nSince tracking the botnet activity, we have captured three production C\u0026C servers controlling Bobik bots and one\r\ndevelopment server. The servers run on OS Ubuntu with Nginx (v 1.18.0). RiskIQ reports all servers as malicious\r\nwith self-signed certificates and servers with bad reputations that previously hosted many suspicious services.\r\nServer 1 \r\nThe last active server is 2.57.122.243 , located in Romania, and its first Bobik’s activity we saw was on June 13,\r\n2022. We also have two DNS records for this malicious server:\r\nv9agm8uwtjmz.sytes.net and q7zemy6zc7ptaeks.servehttp.com .\r\nServer 2\r\nThe second server 2.57.122.82 is also in Romania, but the communication with the Bobik bots was deactivated\r\naround July 14, 2022. The server is still active. Nevertheless, the server responds with a 502 HTTP code (Bad\r\nGateway).  Based on the findings from Server 1, this server used the same v9agm8uwtjmz.sytes.net DNS\r\nrecord, which was reconfigured to Server 1 in the middle of June.\r\nServer 3\r\nThe first Bobik’s C\u0026C server we saw was 77.232.41.206 in Russia. The server had opened ports 80 and 443\r\nuntil June 9, 2022. It is not usable, and therefore de facto offline, by Bobik bots because there is only one opened\r\nport for OpenSSH since Bobik requires port 80 for its C\u0026C communication.\r\nDev Server\r\nOne of the C\u0026C servers is a suspected  development server at 109.107.181.130 , listening on port 5001 . The\r\nserver has been active since April and is located in Russia; its reputation is also suspicious. Avast has not detected\r\nany hits for this server in the wild. However, one Python sample uses the server as a testing environment.\r\nC\u0026C Communication\r\nThe communication between Bobik bots and the C\u0026C servers is mediated using a simple unsecured HTTP request\r\nand response via the Nginx web server. The bots obtain appropriate commands from the C\u0026Cs utilizing a URL,\r\nsee the diagram below.\r\nhttps://decoded.avast.io/martinchlumecky/bobik/\r\nPage 3 of 16\n\nHTTP communication\r\nRequest\r\nThe request URL uses the following template:\r\nhttp://[ip]/[request]/update?id=[sha256]\u0026v=[version]\u0026pr=[flag]\r\nip : Bobik bots hardcode one of the C\u0026C IPs or one of the DNS records, see Section C\u0026C Servers.\r\nrequest : defines the purpose of the communications; we registered three types of requests in the form of a\r\nGUID.\r\n– notice: the bots report their states.\r\n– admin: this request can open the admin console of the Nginx web server.\r\n– dropper: is a path to a malicious executable representing Bobik’s RuntimeBroker followed by an exe file name.\r\nThe exact GUIDs are listed in Appendix.\r\nid : the hash is computed from Windows Management Instrumentation (WMI) information about a victim’s\r\nmachine like Win32_DiskDrive, Win32_Processor, Win32_BaseBoard, etc. The hash can provide a unique\r\nidentifier for Bobik bots.\r\nv : the Bobik version; Avast has captured sample versions ranging from 8 to 19.\r\npr : is a flag (0,1) representing whether the communication with C\u0026C has timed out at least once. \r\nA body of the HTTP request contains one simple XML tag with information about the victim; for instance:\r\n\u003cclient a0=\"1\" a1=\"en-US\" a2=\"en-US\" a3=\"14:03:53\" a4=\"600\"\u003e; where\r\na0 : ProductType (1: Workstation, 2: Domain Controller, 3: Server)\r\na1 : CultureInfo.InstalledUICulture\r\na2 : CultureInfo.CurrentUICulture\r\na3 : DateTime.Now\r\na4: Default timeout for the update of the DDoS target list from the C\u0026C server\r\nSee the examples of the notice URLs:\r\nhttp://2.57.122.82/d380f816-7412-400a-9b64-78e35dd51f6e/update?\r\nid=AEF97F87751C863548359181B65B60EE86A7D44724040229CDE4622C99AB0B59\u0026v=17\u0026pr=1\r\nhttp://2.57.122.82/d380f816-7412-400a-9b64-78e35dd51f6e/update?\r\nid=67F5318073F09F03E762BF727015384589F00282EA26B1798C10581B8DC27F52\u0026v=16\u0026pr=1\r\nhttp://v9agm8uwtjmz.sytes.net/d380f816-7412-400a-9b64-78e35dd51f6e/update?\r\nid=B5B72AEBEC4E2E9EE0DAC37AC77EBFB679B6EC6D7EE030062ED9064282F404A7\u0026v=18\u0026pr=1\r\nhttp://q7zemy6zc7ptaeks.servehttp.com/d380f816-7412-400a-9b64-78e35dd51f6e/update?\r\nid=BADFD914A37A1FF9D2CBE8C0DBD4C30A9A183E5DF85FCAE4C67851369C2BAF87\u0026v=18\u0026pr=1\r\nResponse\r\nhttps://decoded.avast.io/martinchlumecky/bobik/\r\nPage 4 of 16\n\nThe body of the HTTP response contains an encrypted and gzipped XML file configuring bots to the defined\r\nDDoS attacks. See the example below:\r\nThe bot receives the encrypted data that is decrypted using a simple algorithm, as shown below. The full script is\r\nlocated in the IOC repository.\r\nHTTP response decryptor\r\nThe encrypted XML file has an elementary structure, as shown below:\r\nDecrypted XML config\r\nMost of the XML attributes are intuitive, so we will just explain the compound brackets in the path and body\r\nattributes. The configuration often uses dynamically generated pieces (definitions) like this: {.,15,20} . The\r\ndefinition dictates what long random text should be generated and in which position.\r\nhttps://decoded.avast.io/martinchlumecky/bobik/\r\nPage 5 of 16\n\nThe definitions are abundantly applied in the path or body of the HTTP requests, where the attackers expect an\nincreased load on the server. The effect is that bots flood servers with meaningless requests. For instance, the first\nin the image directly above (decrypted XML config) uses this definition: query={.,15,20} which\nmeans that the bots generate random texts of 15 – 20 characters long as requests to, for example, the calendar of\nPoland’s presidential office. Similarly, the second flooded the reference system of bus lines in Ukraine\nwith requests for a password reset, as illustrated in this definition email={.,5,15}%40gmail.com .\nFor the most part, we captured definitions sending data to login pages, password recovery sites, and site searches;\nas can be seen from the XML config snippet below:\nLogin data\nSearch requests\nPassword recovery request\nConsequently, the attackers try to overload a server with these requests, as they are computationally intensive. The\nrequests require many accesses to server databases, e.g., verifying emails for password resetting, trying to login\nwith random data (definitions), etc.\nBobik Botnet\nThe Avast telemetry data cannot paint a precise picture of the botnet’s size, but we can estimate the approximate\nrepresentation of Bobik in the wild, see map below. The map shows where, according to Avast’s telemetry, the bots\nthat attempt to carry out DDoS attacks for NoName057(16) are located. Avast has protected these devices from\nBobik or from connecting to the C\u0026C server. Most of the bots are located in Brazil, India, and Southeast Asia.\nhttps://decoded.avast.io/martinchlumecky/bobik/\nPage 6 of 16\n\nDistribution of users Avast protected from Bobik\r\nAccording to our data, the number of Bobik bots is a few hundred. However, the total number must be much larger\r\nconsidering the DDoS attacks’ acute effectiveness and frequency. We, therefore, estimate there are thousands of\r\nBobik bots in the wild.\r\nSelection of DDoS Targets\r\nWe estimated a procedure as to how the attackers determine which web servers to DDoS attack because we have\r\nconfigurations of unsuccessful attacks.\r\nThe first step is looking for a target that supports Ukraine or a target with anti-Russian views. The attackers\r\nanalyze the structure of the target’s  website and identify pages that can cause server overloading, especially\r\nrequests requiring higher computing time, such as searching, password resetting, login, etc.\r\nThe second step is filling in the XML template, encrypting it, and deploying it to the C\u0026C servers. The attackers\r\nmonitor the condition of the target server and modify the XML configuration based on needs (modification of\r\nURL parameters, bodies, etc.) to be more effective. The configuration is changed approximately three times per\r\nday.\r\nSuppose the configuration is successful and a targeted server is in trouble. In that case, the configuration is fixed\r\nuntil the web server crashes or a server admins implement anti-DDoS technique or firewall rules based on GeoIP.\r\nIf the attack is unsuccessful, a new target is selected, and the whole procedure of selection is repeated.\r\nTargets\r\nIn the first phase, the attackers targeted Ukrainian news servers they defined as being against the war in Ukraine.\r\nThen, the attacks targeted websites belonging to Ukrainian cities, local governments, distribution of electrical\r\npower, Ukrainian companies supplying the Ukraine army with weapons, railway, bus, companies, and postal\r\noffices. \r\nThe second phase targeted organizations publicly supporting Ukraine financially or materially, like Ukraine banks\r\nand financial institutions, and operators of local Ukraine gas reservoirs that publicly declared help for the\r\ndefenders of Ukraine.\r\nhttps://decoded.avast.io/martinchlumecky/bobik/\r\nPage 7 of 16\n\nAs the political situation around the war changed, so did the targets of the DDoS attacks. Bobik performed DDoS\r\nattacks on GKN Aerospace, which is the supplier of the Northrop Grumman Corporation because the US Defense\r\nDepartment convened a meeting with America’s eight prime defense contractors (including Northrop Grumman\r\nCorporation) to ensure long-term readiness to meet “Ukraine’s weapons needs”. \r\nAnother global company under attack was Group 4 Securitas (G4S), which published a document assessing and\r\nexploring key elements of the conflict in Ukraine. In terms of telecommunications companies, we observed an\r\nattack on American telco company Verizon, which declared a waiver of call charges to and from Ukraine. And so,\r\nwe could continue listing companies that were under Bobik attacks due to their support for Ukraine. You can see a\r\nfew screenshots from affected websites below.\r\nOther attacks were more politically motivated based on government declarations of a given country. Baltic states\r\n(Lithuania, Latvia, and Estonia) were the significant targets, outside Ukraine, of DDoS attacks carried out by the\r\ngroup. Let’s summarize targets outside of Ukraine, chronologically, since we started monitoring Bobik.\r\nJune 7, 2022: Significant DDoS attack on Estonia central bank; see Twitter.\r\nJune 18, 2022: Bobik configuration changed to target Lithuanian transportation companies, local railway,\r\nand bus transportation companies after Lithuanian authorities announced a ban on transit through their\r\nterritory to the Russian exclave of Kaliningrad of goods that are subject to EU sanctions. The attackers also\r\ntargeted financial sectors in Lithuania, like UAB General Financing, Unija Litas, and more.\r\nJuly 1, 2022: Goods were stopped by Norwegian authorities destined for the roughly 400 miners in the\r\ntown of Barentsburg employed by the Russian state coal mining company Arktikugol. NoName057(16)’s\r\nDDoS attacks focused on Norwegian websites as retaliation for the blockade. The main targets were\r\ntransportation companies (Kystverket, Helitrans, Boreal), the Norwegian postal service (Posten), and\r\nfinancial institutions (Sbanken, Gjensidige).\r\nJuly 7, 2022: There were not any specific acts by Poland that caused the group to specifically target Polish\r\nsites. However, Poland has supported Ukraine from the beginning of the Ukraine conflict, and therefore\r\nsites in the country became targets. The first wave of DDoS attacks on Polish sites was aimed at\r\ngovernment websites like the Polish Cyberspace Resource Center, Polish 56th Air Base, Military\r\nRecruitment Center in Chorzów, and more.\r\nJuly 9, 2022: Bobik was reconfigured back to target Lithuanian websites, focusing on energy companies\r\n(Ignitis Group, KN), transportation companies (Ingstad \u0026 Co, Asstra-Vilnius), and banks (Turto Bankas,\r\nŠiaulių Bankas, Swedbank, SEB, Kredito unija Litas).\r\nJuly 25, 2022: Polish sites were targeted again, this time  the Polish government and airports were\r\nattacked. We observed a DDoS configuration including the Polish Sejm, Presidential Office, Ministry of\r\nNational Defense, Poznań Airport, Szczecin Goleniów Airport, Gdansk Airport, Kraków Airport, and more.\r\nAugust 5, 2022: Polish regional and district courts were targeted.\r\nAugust 9, 2022: When Finland announced their intention to join NATO, the Bobik configuration was\r\nreconfigured to target Finnish government institutions, like the  Parliament of Finland (Eduskunta), State\r\nCouncil, Finnish police, and more.\r\nAugust 14, 2022: Latvian financial sector (Latvian Payment Services and Electronic Money, Luminor\r\nInterneto bankas) was attacked.\r\nhttps://decoded.avast.io/martinchlumecky/bobik/\r\nPage 8 of 16\n\nAugust 16, 2022: The second wave of attacks on the Polish justice system began. We monitored a\r\nconfiguration with specific district courts in Krakow, Olsztyn, Warszawa, Poznan.\r\nAugust 23, 2022: Estonia’s largest news portal, Delfi, was under DDoS attack because it published\r\nRussophobic content.\r\nAugust 26, 2022: The group targeted another Estonian company, Tallink Grupp, a company providing\r\ntransport services in the northern Baltic Sea region, including air transport. Tallink’s airports, such as\r\nKärdla, Tartu, and Pärnu were targeted.\r\nAugust 27, 2022: Lithuania’s ministries of National Defense, Culture, Education, Science and Sports, and\r\nPublic Procurement Offices were targeted, along with the airports and transport companies.\r\nAugust 29, 2022: Ukrainian banks were under DDoSed by the group after a long break. We observed\r\nAcordbank, Trust capital, JSC Poltava-Bank, and Pravex Bank under attack.\r\nSeptember 1 and 2, 2022: Ukrainian schools were under attack at the beginning of the new school year.\r\nFortunately, none of the group’s 14 targets were taken down.\r\nSeptember 3, 2022: Polish armaments plants (Dezamet, Zakłady Mechaniczne Tarnów) and Lithuanian\r\ninvestment companies (Unija Litas, General Financing Bankas) were the group’s first victims after their\r\nunsuccessful attack attempts on Ukrainian school institutions.\r\nSeptember 6, 2022: The second attempt to attack Ukrainian school institutions (Athens School in Kyiv,\r\nCherkasy National University, First Cambridge Education Center, and more).\r\nThe graph below shows a timeline of Bobik DDoS attacks, including successful and unsuccessful attacks from the\r\nbeginning of June to mid-July 2022, captured by Avast telemetry.\r\nFinally, we inspected all hosts from the XML configuration files within our three-month observation period. The\r\npie chart below illustrates that sites from Lithuania and Poland are the main targets of the NoName057(16) group.\r\nLooking at the distribution of attacked institutions, courts come in first, and second is logistic companies,\r\nfollowed by banks. The remaining targets are airports, transportation, and logistic companies, governments, and\r\nhttps://decoded.avast.io/martinchlumecky/bobik/\r\nPage 9 of 16\n\ntelecommunications companies. A full list of the targets can be found at Appendix.\r\nIdentifying NoName057(16)\r\nWe have tried identifying the hacker group controlling Bobik bots and C\u0026C servers. It was evident that the group\r\nmust be pro-Russia, so we looked for the most famous DDoS attacks.\r\nShortly after the war in Ukraine began, a pro-Russia hacking group called Killnet appeared and began carrying out\r\nDDoS attacks against companies and governments supporting Ukraine, and even targeted the 2022 Eurovision\r\nSong Contest.\r\nBobik initially attacked websites Killnet has marked as “undesirable”. Killnet reports their DDoS attacks on their\r\nTelegram account. At first, it looked like the attacks carried out by Bobik distantly resembled Killnet’s activity,\r\nbecause the timeline of attacked countries was similar to the XML configurations. However, many successful\r\nDDoS attacks by Bobik were not posted by Killnet.\r\nOn June 21, 2022, the Killnet group publicly thanked a group called NoName057(16) for their support during a\r\n“special military operation”:\r\nWhen we finished analyzing NoName057(16)’s Telegram channel, we confirmed that NoName057(16) is\r\nresponsible for the DDoS attacks performed by the Bobik bots. All the XML configurations we captured from the\r\nNoName057(16) C\u0026C servers exactly match the posts on the Telegram channel.\r\nNoName057(16)\r\nNoName057(16) is a little-known pro-Russian hacker group. They boast about their successful attack attempts on\r\ntheir Telegram channel, which has more than 14K subscribers. The group was active before we began tracking\r\nthem on June 1, 2022. Their Telegram channel was created on March 11, 2022. We suspect they were either using\r\na different set of botnets before June 1, 2022, or updating the malware used to control the bots in June.\r\nNoName057(16) has been threatening to punish “propaganda” sources that “lie” about the Russian “special\r\noperation” in Ukraine, as well as governments from neighboring countries supporting them in their fight against\r\nRussia. The group became visible in the media at the beginning of August after carrying out successful attacks on\r\nFinnish and Polish parliaments.\r\nA Wikipedia page about NoName057(16) was created on August 17, 2022. The page summarizes the group’s main\r\nactivity. It classifies the group as a pro-Russia hacker group that claimed responsibility for cyberattacks on\r\nUkrainian, US, and European websites belonging to government agencies, media, and private companies.\r\nhttps://decoded.avast.io/martinchlumecky/bobik/\r\nPage 10 of 16\n\nNoName057(16) released a manifesto declaring cyberwar as an act of revenge for open information war against\r\nRussia:\r\nAs the group increased its activities and media profile, it became easier to determine they were behind the attacks.\r\nTherefore, we can clearly state that Bobik is controlled by the pro-Russian hacker group called NoName057(16).\r\nSuccess Rate\r\nThe group only reports successful DDoS attacks on their Telegram channel. Although the reported number of\r\nsuccessful attacks seems large, statistical information indicates the contrary.\r\nThe group exclusively concentrates on DDoS attacks. They do not try to steal data or gain access to systems like\r\nother dangerous groups. The question is if they have the necessary knowledge, strength, and infrastructure to do\r\nmore. Carrying out DDoS attacks is straightforward and does not require deep technical knowledge. Furthermore,\r\nthe Bobik implementation only sends a simple HTTP request.\r\nOur three-month observation shows that the group’s attack success is around 40%. We compared XML\r\nconfigurations captured by Avast to the achievements the group posts on their Telegram channel. Moreover, there\r\nis a particular set of targets, making up ~20% of their posts on Telegram, NoName057(16) claimed they\r\nsuccessfully attacked, but we did not match them to the targets listed in their configuration files. For example,\r\nNoName057(16) claims to be responsible for attacking websites belonging to Lithuanian airports on June 25,\r\n2022:\r\nhttps://decoded.avast.io/martinchlumecky/bobik/\r\nPage 11 of 16\n\nNoName057(16) claiming to be responsible for a DDoS attack on Lithuanian airports, posted on\r\nNoName057(16)’s Telegram channel\r\nHowever, we did not find any records of the attack in the configuration files. The likelihood of them not using all\r\nof their bots in attacks is slim. In addition to this outage, NoName057(16) declared the sites were under a\r\ncontinuous fourteen-day attack. This would require an extensive bot network, especially considering the group\r\nperformed other attacks during the same time frame, and the websites were still offline. From what we have seen,\r\nit is unlikely that NoName057(16) has an extensive bot network. Moreover, most of their DDoS attacks last a few\r\nhours, maximally a few days.\r\nImpact and Protection\r\nThe power of the DDoS attacks performed by NoName057(16) is debatable, to say the least. At one time, they can\r\neffectively strike about thirteen URL addresses at once, judging by configuration history, including subdomains.\r\nFurthermore, one XML configuration often includes a defined domain/target as a set of subdomains, so Bobik\r\neffectively attacks five different domains within one configuration. Consequently, they cannot focus on more\r\ndomains for capacity and efficiency reasons.\r\nMost of the successful attacks result in servers being down for several hours or a few days. To handle the attacks,\r\nsite operators often resort to blocking queries coming from outside of their country. It is a typical and suitable\r\nsolution for local servers/domains such as local ticket portals of local bus/train companies, local\r\ninstitutions/companies, etc. Therefore, the DDoS impact on these domains has a minimal effect on the servers of\r\nlocal and smaller companies. Some operators or owners of affected servers have unregistered their domains, but\r\nthese are extreme cases.\r\nThe DDoS attacks carried out were more difficult to handle for some site operators of prominent and significant\r\ndomains, such as banks, governments, and international companies. After a successful attack, we noticed larger\r\nhttps://decoded.avast.io/martinchlumecky/bobik/\r\nPage 12 of 16\n\ncompanies implementing enterprise solutions, like Cloudflare or BitNinja, which can filter incoming traffic and\r\ndetect DDoS attacks in most cases. On the other hand, most large, international companies expect heavier traffic\r\nand run their web servers in the Cloud with anti-DDoS solutions, making them more resilient to attacks. For\r\nexample, the group was unsuccessful in taking down sites belonging to Danish bank, Danske Bank (attacked June\r\n19 – 21, 2022), and Lithuanian bank, SEB (attacked July 12 – 13, 2022 and July 20 – 21, 2022). \r\nThe success of DDoS attacks depends on victim selection. The more “successful” attacks affected companies with\r\nsimple sites, including about us, our mission, and a contact page, for example. These types of companies do not\r\nuse their web pages as the main part of their business. These servers are therefore not typically designed to be\r\nheavily loaded and do not implement anti-DDoS techniques, making them a very easy target.\r\nThe group’s  DDoS attack on Poznań-Ławica Airport in Poland took the site offline for 16 minutes.\r\nNoName057(16) configured Bobik bots based on the \u003ctasks\u003e shown in the screenshot below:\r\nXML configuration for Poznań-Ławica Airport\r\nThey tried to overload the server with requests for searching, form submitting, and getting data via WordPress\r\nAPI. When the server started to return 502 errors, NoName057(16) did not forget to brag on their Telegram\r\nchannel. They also included a link to check-host.net to prove their “revenge”.\r\nNoName057(16)’s Telegram post related to their DDoS attack on Poznań-Ławica Airport\r\nHowever, affected servers very often run back online within several minutes if they implement some anti-DDoS\r\ntechniques because the algorithms learn to recognize the given type of attacks. The check-host.net report below\r\ndemonstrates that the DDoS attack on Poznań-Ławica Airport had a minimal impact since the website was offline\r\nfor 16 minutes.\r\nhttps://decoded.avast.io/martinchlumecky/bobik/\r\nPage 13 of 16\n\nCheck-host.net report for the DDoS attack on Poznań-Ławica Airport, which took the site offline for 16 minutes\nOn June 23, 2022, NoName057(16) reported on Telegram that Lithuanian authorities lifted a ban on the transit of\nRussian cargo to Kaliningrad. The group attributes the lifting of the ban, amongst other things, to the efforts of\ntheir cyber attacks on Lithuania’s infrastructure, which is debatable at best. However, the attacks on Lithuanian\nservers have continued.\nPerformance\nThe botnet went into an idle state on September 1, 2022, at 6 PM UTC, and remained idle persisted for 12 hours.\nThe botnet was reactivated on September 2, 2022, at 4 AM UTC. The XML file sent to the bots contained empty\n, like in this example: A decline in the botnet’s performance may be a possible explanation for this. The group only posted two general\nposts to their Telegram channel on September 1 and 2, 2022, instead of boasting about successful attacks, our first\nindication the botnet might not be performing well.\nThe first post was about the beginning of the new school year and day of knowledge. The group also mentioned\nbeing on the defense of the cyber front for their country and the for the safety of the younger generation. The\nsecond post was about “information guns and DDoS tanks” that worked quietly on very difficult and important\nwork.\nIn fact, NoName057(16) changed targets ten times each day in the XML configurations, which is abnormal. We\nmonitored the targets for these days, and none of the attacks were successful. Therefore, it is evident that the\nbotnet had some trouble.\nMost of the sites attacked by the group have implemented anti-DDoS protections. This slowdown implies that the\nbotnet is relatively static without many changes, such as recruiting new bots or dynamically changing bots’ IPs. A\nstatic botnet is an advantage for anti-DDoS protections, because malicious traffic can be easily identified.\nNoName057(16) has continued to attack other easier targets since September. Only the future will reveal the\nBobik botnet’s successes and failures. However, the attack’s success rate has been only around 25% since the\nbeginning of September.\nConclusion\nWe investigated and analyzed malware used to carry out DDoS attacks on sites in and around Ukraine, starting in\nJune, 2022. We identified the malware as a .NET variant of a RAT called Bobik, including a DDoS module, and\nhttps://decoded.avast.io/martinchlumecky/bobik/\nPage 14 of 16\n\nspreading via a bot-net-as-a-service, RedLine Stealer.\r\nThe first technical part of this investigation uncovered C\u0026C servers and the HTTP communication protocol used\r\nby the Bobik bots. We also successfully decrypted the HTTP protocol, including its parameters. This allowed us to\r\nmonitor the C\u0026C servers and collect information about the botnet architecture and XML configurations defining\r\nthe DDoS targets.\r\nThe second aim was to determine the bad actors behind the attacks. We identified a pro-Russian hacker group\r\ncalled NoName057(16), as the users or possibly even the authors of Bobik, based on the XML configurations and\r\nwhat the group posts to their Telegram channel.\r\nNoName057(16) focuses exclusively on DDoS attacks and looks for companies and organizations that support\r\nUkraine or are “anti-Russian”. They do not try to steal data or gain access to the system like other dangerous\r\ngroups. Therefore, we can declare that their activities are only harmful in the sense that they can lose companies’\r\nbusiness while their sites are offline, but attacked sites that have gone offline have luckily recovered quickly. Their\r\nactivities are more annoying than dangerous. \r\nWe found that the successful attacks defined by NoName057(16) make up just ~ 40% of all of their attack\r\nattempts. The success of their attacks depends on the quality of the targeted infrastructure. The evidence suggests\r\nthat well-secured and designed servers can withstand the group’s DDoS attacks. \r\nThe group focuses on servers/domains as retaliation for cyber-attacks and sanctions on Russia. All successful\r\nattacks, and even successful attacks the group is not responsible for (but claims to be), are posted to their Telegram\r\nchannel.\r\nIf you are concerned your device might be infected with Bobik and supporting NoName057(16)’s efforts, we\r\nhighly recommend you install security software, like Avast Antivirus, which detects, blocks and can remove\r\nBobik.\r\nIOCs\r\nThe full list of IoCs is available in the IOC repository\r\nAppendix\r\nGUIDS\r\nhttp://[ip]/[request]/update?id=[sha256]\u0026v=[version]\u0026pr=[flag]\r\nhttps://decoded.avast.io/martinchlumecky/bobik/\r\nPage 15 of 16\n\nBobiks’ Targets\r\nFull list of the targets can be found in the IOC repository\r\nA group of elite researchers who like to stay under the radar.\r\nSources\r\nSource: https://decoded.avast.io/martinchlumecky/bobik/\r\nhttps://decoded.avast.io/martinchlumecky/bobik/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://decoded.avast.io/martinchlumecky/bobik/"
	],
	"report_names": [
		"bobik"
	],
	"threat_actors": [
		{
			"id": "b4a6d558-3cba-499c-b58a-f15d65b7a604",
			"created_at": "2023-01-06T13:46:39.346924Z",
			"updated_at": "2026-04-10T02:00:03.295317Z",
			"deleted_at": null,
			"main_name": "Killnet",
			"aliases": [],
			"source_name": "MISPGALAXY:Killnet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b05a0147-3a98-44d3-9b42-90d43f626a8b",
			"created_at": "2023-01-06T13:46:39.467088Z",
			"updated_at": "2026-04-10T02:00:03.33882Z",
			"deleted_at": null,
			"main_name": "NoName057(16)",
			"aliases": [
				"NoName057",
				"NoName05716",
				"05716nnm",
				"Nnm05716"
			],
			"source_name": "MISPGALAXY:NoName057(16)",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434599,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/09aea7615605abaf4cac5fec05118aa3e01d9c41.pdf",
		"text": "https://archive.orkl.eu/09aea7615605abaf4cac5fec05118aa3e01d9c41.txt",
		"img": "https://archive.orkl.eu/09aea7615605abaf4cac5fec05118aa3e01d9c41.jpg"
	}
}