{
	"id": "00d85554-d00c-4ddc-bb6e-195041989a12",
	"created_at": "2026-04-06T00:17:42.787252Z",
	"updated_at": "2026-04-10T13:12:07.353916Z",
	"deleted_at": null,
	"sha1_hash": "578de845c39282116c1a6dc524794705497e8927",
	"title": "NoName057(16) - The Pro-Russian Hacktivist Group Targeting NATO",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2096068,
	"plain_text": "NoName057(16) - The Pro-Russian Hacktivist Group Targeting\r\nNATO\r\nBy Tom Hegel\r\nPublished: 2023-01-12 · Archived: 2026-04-02 12:27:26 UTC\r\nBy Tom Hegel and Aleksandar Milenkoski\r\nExecutive Summary\r\nPro-Russia hacktivist group NoName057(16) is conducting a campaign of DDoS attacks on Ukraine and\r\nNATO organizations that began in the early days of the war in Ukraine. Targets have included government\r\norganizations and critical infrastructure.\r\nNoName057(16) was responsible for disrupting services across the financial sector of Denmark this week.\r\nOther recent attacks include organizations and businesses across Poland, Lithuania and others.\r\nOn January 11th, we observed NoName057(16) begin targeting 2023 Czech presidential election\r\ncandidates’ websites.\r\nSentinelLABS has identified how the group operates over public Telegram channels, a volunteer-fueled\r\nDDoS payment program, a multi-OS supported toolkit, and GitHub.\r\nWhat is NoName057(16)\r\nNoName057(16), also known as NoName05716, 05716nnm or Nnm05716, is a relatively underreported hacktivist\r\ngroup supporting Russia since March 2022, alongside Killnet and other pro-Russian groups. In December 2022,\r\nthe group was responsible for disrupting the Polish government website. As noted by the Polish government, the\r\nincident was in response to the Sejm of the Republic of Poland officially recognizing Russia as a state sponsor of\r\nterrorism in mid December 2022. More recently, the group targeted the Danish financial sector, impacting leading\r\nfinancial institutions as reported by Reuters.\r\nMotivations and Objectives\r\nThe NoName057(16) group is primarily focused on disrupting websites important to nations critical of Russia’s\r\ninvasion of Ukraine. Distributed Denial of Service (DDoS) attacks act as the method to conduct such disruption\r\nefforts.\r\nInitial attacks focused on Ukrainian news websites, while later shifting to NATO associated targets. For example,\r\nthe first disruption the group claimed responsibility for were the March 2022 DDoS attacks on Ukraine news and\r\nmedia websites Zaxid, Fakty UA, and others. Overall the motivations center around silencing what the group\r\ndeems to be anti-Russian.\r\nOperating Methods – Telegram Channel\r\nhttps://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/\r\nPage 1 of 11\n\nNoName057(16) operate through Telegram to claim responsibility for their attacks, mock targets, make threats,\r\nand generally justify their actions as a group. Interestingly, NoName057(16) makes attempts to teach their\r\nfollowers through educational content such as explaining basic industry jargon and attack concepts.\r\nWith an average of six posts per day, the overall engagement of NoName057(16)’s Telegram efforts has slowly\r\ndeclined over time. Peak viewership of their posts occurred in July 2022, when they reached approximately\r\n14,000 readers with nearly 100% engagement rate. Today, daily average reach is roughly 2-3,000 and engagement\r\nin the range of 10-20%, signifying that the group is becoming less relevant to their followers and to Telegram\r\nusers as a whole. This may be explained in part by the fact that many similar hacktivist groups exist, have gained\r\nmore attention, and are often more impactful in their objectives.\r\nViews and engagement rate of NoName057(16) Telegram Posts (telemetr.io)\r\nEvidence from NoName057(16)’s Telegram channel indicates that the group values the recognition their attacks\r\nachieve through being referenced online including in Wikipedia articles. The channel also posts pro-Russian\r\nmemes, motivational posts, and general status updates around the holidays. The observed Telegram activity makes\r\nit clear that the group considers itself a top tier Russian threat actor when in reality the impact of their DDoS\r\nattacks is short-lived disruption with little to no wider consequence.\r\nhttps://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/\r\nPage 2 of 11\n\n[caption] NoName057(16) New Year Update\r\nWe have reported the associated accounts/channels to the Telegram Abuse team.\r\nTool Hosting on GitHub\r\nThe group has also made use of GitHub to host a variety of illicit activity. This includes using GitHub Pages for\r\nfreely hosting their DDoS tool website dddosia.github[.]io, and the associated GitHub repositories for hosting the\r\nlatest version of their tools as advertised in the Telegram channel. Two GitHub profiles of interest are dddosia and\r\nkintechi341. Early commits to the ddos_config repo were made in the name of “Роман Омельченко”.\r\nAssociated dddosia GitHub Profile\r\nhttps://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/\r\nPage 3 of 11\n\nAssociated kintechi341 GitHub Profile\r\nWe reported the abuse of these services to the GitHub Trust \u0026 Safety team, who quickly took action as a violation\r\nof GitHub’s Terms of Service.\r\nNetwork\r\nThe C2 services are primarily hosted through Neterra, the Bulgarian telecommunications organization, while also\r\nmaking use of No-IP Dynamic DNS services. The current C2 is zig35m48zur14nel40[.]myftp.org at\r\n31.13.195.87 . This server is active as of this release.\r\nTargets\r\nThroughout the life of the group, NoName057(16) has focused on targeting Ukraine and NATO member countries.\r\nOrganizations targeted are commonly critical infrastructure sectors whose operations are vital to the target nation.\r\nTarget selection shifts according to current political events. As previously noted, the Polish government was a\r\nDecember target following the Sejm of the Republic of Poland officially recognizing Russia as a state sponsor of\r\nterrorism in mid December 2022. At the start of January 2023, a large focus was placed on targeting Lithuanian\r\norganizations, primarily in the cargo and shipping sectors. Most recently the actor began focusing on targeting\r\nleading Danish financial institutions including Danske Bank, Danmarks Nationalbank, and others reported in the\r\nmedia this week.\r\nOn January 11th 2023, we observed the actor begin targeting websites owned by multiple 2023 Czech presidential\r\nelection candidates. The election is occurring on January 13th and 14th 2023, so timing of the disruption efforts\r\ncan not be ignored. Specific targets include domains for candidates Pavel Fischer, Marek Hilšer, Jaroslav Bašta,\r\nGeneral Petr Pavel, and Danuše Nerudová. Additionally, the Ministry of Foreign Affairs of the Czech Republic\r\nwebsite was also targeted at the same time. We have notified Czech CERT upon discovery of the new target list.\r\nAttack Toolkit\r\nhttps://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/\r\nPage 4 of 11\n\nNoName057(16) has made use of a number of different tools to conduct their attacks throughout 2022. In\r\nSeptember, Avast reported on the threat actor using the Bobik botnet to conduct their DDoS attacks. However, the\r\ngroup appears to primarily seek participation voluntarily through their DDOSIA tool – also referred to by its\r\ndeveloper as Dosia and Go Stresser, depending on versioning.\r\nWe analyzed two different implementations of DDOSIA: a Python and a Golang implementation. The Python\r\nDDOSIA implementation is delivered as a PyInstaller package. The Golang implementation refers to itself\r\ninternally as Go Stresser.\r\nThe internal DDOSIA reference Go Stresser\r\nDDOSIA is a multi-threaded application that conducts denial-of-service attacks against target sites by repeatedly\r\nissuing network requests. DDOSIA issues requests as instructed by a configuration file that the malware receives\r\nfrom a C2 server when started. The configuration file is in JSON format and resides at the /client/get_targets\r\nURL path on the C2 server. Historical configuration files can be reviewed in archived October and December\r\n2022 server responses.\r\nDDOSIA configuration file (a snippet)\r\nFor each target site, the configuration file specifies:\r\nhttps://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/\r\nPage 5 of 11\n\nA unique target identifier in the field id .\r\nTarget network endpoint information in the fields host , address , and port – a hostname, an IP\r\naddress, and a port.\r\nA network request type and method pairs in the fields type and method . The DDOSIA samples and\r\nconfiguration files we analyzed indicate that the malware supports the request types http , http2 , and\r\ntcp , and the request methods – HTTP verbs  – GET and POST (for the request types http or http2 )\r\nand syn (for the request type tcp ). Based on a configured type and method, DDOSIA constructs HTTP\r\nor TCP network packets (requests) for sending to a target site.\r\nA URL path and request body in the fields path and body for network requests of type http or\r\nhttp2 . If the path and/or body fields have values, DDOSIA constructs and issues requests with the\r\nconfigured request body to the configured URL path at the target site.\r\nA Python DDOSIA implementation constructs a TCP SYN packet\r\nhttps://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/\r\nPage 6 of 11\n\nA Golang DDOSIA implementation constructs an HTTP POST request\r\nDDOSIA replaces $_{number} substrings specified in the configuration file with random values that the malware\r\ngenerates when constructing a network request. In a DDOSIA configuration file, $_{number} substrings are\r\ntypically placed in path fields. The Python implementation of DDOSIA uses templates defined in the randoms\r\nfield in the configuration file for generating random string values.\r\nA $_{number} substring in a DDOSIA configuration file\r\nThe randoms field in a DDOSIA configuration file (a snippet)\r\nhttps://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/\r\nPage 7 of 11\n\nA Python DDOSIA implementation generates random values\r\nA DDOSIA configuration file specifies URL paths and request bodies that are valid at the respective target sites.\r\nThis indicates that the DDOSIA operators construct configuration files by first exploring target sites. For example,\r\nthe URL https://www.defensie[.]nl/actueel/nieuws?pagina={number} is a valid news page iterator at the\r\nwebsite of the Dutch Ministry of Defense.\r\nDDOSIA configuration for targeting the Dutch Ministry of Defense\r\nThere are additional DDOSIA features to those above that a configuration file may instruct the malware to enable.\r\nFor example, the use_random_user_agent field instructs DDOSIA to randomly select a user agent from a list of\r\npredefined user agents when constructing an HTTP request. Also, the fields activate_by_schedule ,\r\nstarted_at and finished_at indicate that a DDOSIA sample can be configured to schedule the sending of\r\nnetwork requests over specific date-time intervals. The samples we analyzed do not make use of these\r\nconfiguration parameters but repeatedly send network requests to each target site until terminated.\r\nhttps://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/\r\nPage 8 of 11\n\nPredefined DDOSIA user agents\r\nWe note that there are differences regarding what configuration values and features are supported by different\r\nDDOSIA builds and implementations. This indicates that DDOSIA is under continuous development and is\r\nsubject to frequent changes.\r\nFor example, the Golang DDOSIA implementations we analyzed support the network request type http2 ,\r\nwhereas their Python counterparts do not implement this support.\r\nAn implementation of the http2 network request type\r\nIn addition, Golang DDOSIA implementations authenticate themselves to C2 servers by issuing an HTTP POST\r\nrequest to the /login_new URL path at the servers and terminate if the authentication fails. The Python DDOSIA\r\nimplementations that we analyzed do not support this feature.\r\nhttps://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/\r\nPage 9 of 11\n\nDDOSIA authenticates itself to a C2 server (‘Авторизация пройдена успешно’ translates from\r\nRussian to ‘Authorization completed successfully’)\r\nDDOSIA maintains statistics about its operation and success rate – the malware counts the total and the number of\r\nsuccessful network requests sent to each target site. In the context of network requests of type http or http2 , a\r\nrequest is considered successful if the target site returns the HTTP code 200 ( OK ).\r\nDDOSIA counts successful HTTP network requests\r\nDDOSIA sends the statistics to the C2 server at regular time intervals – this informs the DDOSIA operators about\r\nthe overall progress and success of the denial-of-service campaign that the malware conducts. This is likely\r\nassociated with how the group makes use of a volunteer profit program. They distribute cryptocurrency to the top\r\nDDoS contributors, encouraging people to contribute more technical resources for a more powerful attack.\r\nVersions of the tool for macOS and Linux have also been developed. Android versions of the tool can also be\r\nfound; however, the primary distribution of the group has not officially supported mobile.\r\nConclusion\r\nNoName057(16) is yet another hacktivist group to emerge following the war in Ukraine. While not technically\r\nsophisticated, they can have an impact on service availability– even when generally short lived. What this group\r\nrepresents is an increased interest in volunteer-fueled attacks, while now adding in payments to its most impactful\r\ncontributors. We expect such groups to continue to thrive in today’s highly contentious political climate.\r\nWe would like to thank GitHub’s Trust \u0026 Safety team for a quick response following our abuse notification. The\r\nactors’ accounts and pages are no longer online.\r\nIndicators of Compromise\r\nIndicator Description\r\n94d7653ff2f4348ff38ff80098682242ece6c407 DDosia.py encoded installer\r\ne786c3a60e591dec8f4c15571dbb536a44f861c5 DDosia.py encoded installer\r\nc86ae9efcd838d7e0e6d5845908f7d09aa2c09f5 December 2022 DDosia PyInstaller\r\ne78ac830ddc7105290af4c1610482a41771d753f December 2022 DDosia PyInstaller\r\nhttps://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/\r\nPage 10 of 11\n\n09a3b689a5077bd89331acd157ebe621c8714a89 July 2022 DDosia PyInstaller\r\n8f0b4a8c8829a9a944b8417e1609812b2a0ebbbd dosia_v2_macOSx64 – May 2022\r\n717a034becc125e88dbc85de13e8d650bee907ea dosia_v2_macOSarm64 – May 2022\r\nef7b0c626f55e0b13fb1dcf8f6601068b75dc205 dosia_v2_linux_x64 – May 2022\r\nb63ce73842e7662f3d48c5b6f60a47e7e2437a11 dosia_v2.0.1.exe – May 2022\r\n5880d25a8fbe14fe7e20d2751c2b963c85c7d8aa dosia_v2.0.1 – May 2022\r\n78248539792bfad732c57c4eec814531642e72a0 dosia_v2.exe – May 2022\r\n1dfc6f6c35e76239a35bfaf0b5a9ec65f8f50522 dosia_win_x64.exe – January 2023\r\n2.57.122.82 C2 Server – Overlaps with Avasts Bobik findings\r\n2.57.122.243 C2 Server – Overlaps with Avasts Bobik findings\r\n109.107.181.130\r\nC2 Server – October 2022 and earlier. Overlaps with\r\nAvasts Bobik findings\r\n77.91.122.69 C2 Server – December 2022\r\n31.13.195.87 C2 Server – Mid December to Present Day\r\ntom56gaz6poh13f28[.]myftp.org C2 Domain\r\nzig35m48zur14nel40[.]myftp.org C2 Domain\r\n05716nnm@proton[.]me NoName057(16) Email Address\r\nhxxps://t[.]me/noname05716 NoName057(16) Primary Telegram Channel (open group)\r\nhxxps://t[.]me/nn05716chat\r\nNoName057(16) Secondary Telegram Channel (closed\r\ngroup)\r\nhxxps://github[.]com/dddosia\r\nAccount hosting DDOSIA downloading GitHub Pages\r\nsite.\r\ndddosia[.]github.io\r\nOfficial DDOSIA download site linked to on actors\r\ntelegram page.\r\nhxxps://github[.]com/kintechi341 Contributor to the DDOSIA toolkit\r\nSource: https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/\r\nhttps://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/"
	],
	"report_names": [
		"noname05716-the-pro-russian-hacktivist-group-targeting-nato"
	],
	"threat_actors": [
		{
			"id": "b4a6d558-3cba-499c-b58a-f15d65b7a604",
			"created_at": "2023-01-06T13:46:39.346924Z",
			"updated_at": "2026-04-10T02:00:03.295317Z",
			"deleted_at": null,
			"main_name": "Killnet",
			"aliases": [],
			"source_name": "MISPGALAXY:Killnet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b05a0147-3a98-44d3-9b42-90d43f626a8b",
			"created_at": "2023-01-06T13:46:39.467088Z",
			"updated_at": "2026-04-10T02:00:03.33882Z",
			"deleted_at": null,
			"main_name": "NoName057(16)",
			"aliases": [
				"NoName057",
				"NoName05716",
				"05716nnm",
				"Nnm05716"
			],
			"source_name": "MISPGALAXY:NoName057(16)",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434662,
	"ts_updated_at": 1775826727,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/578de845c39282116c1a6dc524794705497e8927.pdf",
		"text": "https://archive.orkl.eu/578de845c39282116c1a6dc524794705497e8927.txt",
		"img": "https://archive.orkl.eu/578de845c39282116c1a6dc524794705497e8927.jpg"
	}
}