{
	"id": "b981eb02-047e-43b5-b863-df11b6795c8d",
	"created_at": "2026-04-06T00:08:53.062606Z",
	"updated_at": "2026-04-10T13:12:36.465688Z",
	"deleted_at": null,
	"sha1_hash": "87349d9c9eeb74ca2113f59932b309d6e4ed75c4",
	"title": "NoName057(16)’s DDoSia project: 2024 updates and behavioural shifts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 682645,
	"plain_text": "NoName057(16)’s DDoSia project: 2024 updates and behavioural\r\nshifts\r\nBy Sekoia TDR,\u0026nbsp;Amaury G.\u0026nbsp;and\u0026nbsp;Maxime A.\r\nPublished: 2024-03-01 · Archived: 2026-04-05 22:07:48 UTC\r\nTable of contents\r\nContext\r\nSystem-level analysis of newly shared files by the adminstrators of DDoSia project\r\nService instability: impact of recurring C2 changes\r\nVictimology analysis: most impacted countries and sectors in early 2024 by NoName057(16)\r\nImpacted countries by DDoSia project\r\nImpacted economic verticals\r\nConclusion\r\nDDoSia’s IoCs\r\nContext\r\nSince the onset of the War in Ukraine, various groups identified as “nationalist hacktivists” have emerged,\r\nparticularly on the Russian side, to contribute to the confrontation between Kyiv and Moscow. Among these\r\nentities, the pro-Russian group NoName057(16) has garnered attention through the initiation of Project\r\nDDoSia, a collective endeavour aimed at conducting large-scale distributed denial-of-service (DDoS) attacks,\r\ntargeting entities (private corporations, ministries and public institutions) belonging to countries supporting\r\nUkraine, predominantly NATO member states.\r\nAs of 2024, Project DDoSia and the group operating it are now familiar names, Sekoia.io continues to\r\nproactively monitor the Command and Control (C2) infrastructure of the DDoS tool. Specifically, we\r\nimplemented an automated system for real-time target collection and regular monitoring of communication\r\nchannels wherein NoName057(16) claims responsibility for its attacks, as mentioned in our blog post from June\r\n2023: Following NoName057(16) DDoSia Project’s Targets. Even more recently in 2024, we discussed the\r\nmonitoring of this group’s infrastructure in our annual report: Adversary infrastructures tracked in 2023.\r\nThis current report will detail an overview of the changes made, both from the perspective of the software shared\r\nby the group to generate DDoS attacks and the specifics of the evolution of the C2 servers, culminating in the\r\ntargeting of countries and sectors for 2024.\r\nOn 11 November 2023, the administrators of the Telegram channel for Project DDoSia shared a new version.\r\nWithout any prior announcement, the newly shared version now includes compatibility with more types of\r\nprocessor architectures. The update added compatibility for 32-bit, as well as support for the FreeBSD operating\r\nhttps://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/\r\nPage 1 of 10\n\nsystem. Of note, they already supported AMD64, ARM, and ARM64 in previous versions. As of 21 February\r\n2024, the shared ZIP archive contains the following files:\r\nFilename Filetype\r\nd_freebsd_arm ELF 32-bit LSB executable, ARM\r\nd_freebsd_x32 ELF 32-bit LSB executable, Intel 80386\r\nd_freebsd_x64 ELF 64-bit LSB executable, x86-64\r\nd_lin_arm ELF 32-bit LSB executable, ARM\r\nd_lin_x32 ELF 32-bit LSB executable, Intel 80386\r\nd_lin_x64 ELF 64-bit LSB executable, x86-64\r\nd_mac_arm64 Mach-O 64-bit arm64 executable\r\nd_mac_x64 Mach-O 64-bit x86_64 executable\r\nd_win_arm64.exe PE32+ executable (console) Aarch64\r\nd_win_x32.exe PE32 executable (console) Intel 80386\r\nd_win_x64.exe PE32+ executable (console) x86-64\r\nTable 1 – Contents of the ZIP archive shared by DDoSia administrators\r\nFurthermore, it is observed that the main ZIP archive contains two folders: one named d_eu and the other d_ru,\r\nwhich are adapted, according to the administrators, for users wishing to execute the file based on their\r\ngeographical location. When launching the executable, a warning message is displayed to the user, advising them\r\nto use a VPN if they are located in Russia, as shown in the following extract:\r\nC:\\[…]\\d(27)\\d_eu\u003ed_win_x64.exe\r\nGo-Stresser версия 2.0 | PID 10912\r\n© NoName057(16)\r\n__________________________________________________\r\nlogin success…\r\ntry get target list…\r\nloaded 285 targets…\r\n–If you work from Russia, then switch the VPN to a foreign one. You will have 1 minutes for this.\r\n–Если вы работаете из России, то переключите vpn на зарубежный. У вас на это будет 1 минуты\r\nRegardless of which folder the executable is launched from, this warning message will appear. The main\r\ndistinction is that in the “d_ru“ folder, all files are appended with the _ru suffix. On 4 December 2023, following\r\nthe rollout of these new files, the administrators also shared a page on telegra.ph\r\n(hxxps://telegra[.]ph/Instrukciya-dlya-uchastnikov-proekta-DDoSia-Project-12-04), providing\r\nhttps://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/\r\nPage 2 of 10\n\ndetailed instructions for users, along with a FAQ section. In item number 2, responding to the query “Does the\r\nprovider see my actions or law enforcement agencies see my IP?”, the answer given is as follows: \"If the\r\ncomputer is located on the territory of the Russian Federation, then even without using a VPN, it is\r\nextremely unlikely that there will be any problems with the law, since the software is designed for\r\nstress testing. At least that's what we think. If the computer is located outside the Russian\r\nFederation, it is strongly recommended to use a VPN to change the IP address. You can check the change\r\nin IP address, for example, on myip.com.\r\nIt is recommended to monitor the VPN in action to avoid being disabled or use a VPN with an Internet\r\nkillswitch option.\" The decision not to mandate VPN usage in Russia, especially given their statement “it is\r\nextremely unlikely that there will be any problems”, suggests a possible collaboration between the\r\nNoName057(16) group and the Russian state. This inference is drawn despite the absence of any publicly claimed\r\nconnection and the lack of official attribution at present.\r\nIn terms of development, this latest version introduces a change in the way data transmitted between a user and\r\ntheir C2 server is encrypted. As a reminder, here is the overall operating diagram when a user joins the project and\r\nruns the DDoSia program:\r\nCompared with the previous version, additional data is now sent to uniquely identify the user’s machine running\r\nthe program. During the first step of identification, the following data is transmitted via a POST request to the\r\nURL: [ip]:[port]/client/login, including the following metadata:\r\nPOST /client/login HTTP/1.1\r\nHost: [C2 IP]\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021208 Debian/1.2.1-2\r\nContent-Length: 527\r\nAccept: text/html,application/xhtml+xml,application/xml\r\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: en-US,en;q=0.5\r\nContent-Type: application/json\r\nCookie: U=$2a$16$UhwrgtnQQZX7.kfsw5QBh.[…]Qdi; C=2bc08885-84ed-4233-a9d5-XXXXXXXXXXXX-X\r\nA new feature has been added to the latest update, involving the encryption of data within the content of this\r\nHTTP POST request, a functionality not present in the previous version. Once decrypted, the content of this\r\nhttps://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/\r\nPage 3 of 10\n\nrequest is as follows:\r\n{\r\n“key”:”[…]AVlZLw“,\r\n“user”:”MZDZQwuID[…]nOEHQdi“,\r\n“client”:”2bc08885-84ed-4233-a9d5-XXXXXXXXXXXX-X“,\r\n“inf”:{\r\n“SystemUserName”:”User“,\r\n“OS”:”windows“,\r\n“KernelVersion”:”10.0.22621.2428 Build 22621.2428“,\r\n“KernelArch”:”x86_64“,\r\n“PlatformFamily”:”Standalone Workstation“,\r\n“CPUCores”:1,\r\n“RegisterTime”:”2023-11-XXT22:50:20.1536289Z“,\r\n“TimeZone”:”UTC“\r\n}\r\n}\r\nThe C value, integrated into both the request data (named as client) and the request cookie, is a GUID which\r\nuniquely identifies the user’s machine. On Windows, this value, which is encrypted during transmission, is\r\nextracted from the registry key \\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid.\r\nThe U value corresponds to the contents of the client_id.txt file, accessible after registration via the DDoSia\r\nproject’s Telegram Bot (t[.]me/DDosiabot).\r\nThe JSON table named inf contains seven elements that enable the project’s administrators to keep precise track\r\nof users. Operating under Windows, the program collects the name of the user of the machine, the kernel version,\r\nthe architecture, the type of machine, the number of processors available, and the registration date of the user in\r\nthe DDoSia project.\r\nThese elements are probably intended for statistical analysis, as they are intended to structure the mapping of the\r\ntechnical characteristics of the machines running the DDoSia software and uniquely identify the users. Overall,\r\nthis reflects the increased sophistication of the transmission mechanisms, in line with our medium-term\r\ndevelopment hypothesis set out in our blog in June 2023.\r\nService instability: impact of recurring C2 changes\r\nAlthough the latest version has improved the software’s data transmission capabilities, DDoSia administrators\r\nhave frequently changed C2 servers in recent weeks. Below is a graph illustrating the evolution of the number\r\nof servers used from 2023 to 23 February 2024.\r\nhttps://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/\r\nPage 4 of 10\n\nIn 2024, several dozen changes took place in the space of just a few weeks. These changes illustrate the challenges\r\nfaced by NoName057(16) in maintaining the stability of its C2 servers over an extended period. Every time the\r\nconfiguration of their server changed, the group had to publish an updated version on its Telegram channel. Users\r\nthen had to download and install the new version to continue participating in the attacks and receive their\r\ncompensation.\r\nSince 2023, our research has enabled us to trace C2 servers distinctively, even before they are put into\r\noperational use for users. This technique has made it easier to track the progress of deployed C2s, as illustrated in\r\nthe table below.\r\nIPv4\r\nDate of\r\nactivation\r\n(YYYY/MM/DD)\r\nHost\r\ncountry\r\nAutonomus System\r\n(AS)\r\nASN\r\n38.180.95[.]29 2024-02-23 Hong Kong M247 AS9009\r\n38.180.101[.]98 2024-02-22 Serbia M247 AS9009\r\n185.39.204[.]86 2024-02-22 Turkey GIR-AS AS207713\r\n195.133.88[.]73 2024-02-21 Germany GIR-AS AS207713\r\n185.239.48[.]70 2024-02-21 Israel IL AS42474\r\n5.252.23[.]100 2024-02-20 Slovakia\r\nSTARK-INDUSTRIES\r\nAS44477\r\nhttps://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/\r\nPage 5 of 10\n\n193.17.183[.]18 2024-02-19 Spain NEARIP AS49600\r\n193.233.193[.]65 2024-02-12 Hong Kong\r\nADCDATACOM-AS-AP\r\nAS135330\r\n77.75.230[.]221 2024-02-10\r\nCzech\r\nRepublic\r\nSTARK-INDUSTRIES\r\nAS44477\r\n185.234.66[.]239 2024-02-09 Turkey\r\nSTARK-INDUSTRIES\r\nAS44477\r\n83.217.9[.]33 2024-02-08 Turkey GIR-AS AS207713\r\n83.217.9[.]48 2024-02-08 Turkey GIR-AS AS207713\r\n193.187.175[.]252 2024-02-08 France CLOUDBACKBONE AS56971\r\n45.84.0[.]235 2024-02-08 Moldova\r\nSTARK-INDUSTRIES\r\nAS44477\r\n45.136.199[.]235 2024-02-07 Romania M247 AS9009\r\n185.234.66[.]126 2024-02-06 Turkey\r\nSTARK-INDUSTRIES\r\nAS44477\r\n193.233.193[.]90 2024-02-04 Hong Kong\r\nADCDATACOM-AS-AP\r\nAS135330\r\n45.89.55[.]4 2024-02-02 Serbia\r\nSTARK-INDUSTRIES\r\nAS44477\r\n188.116.20[.]254 2024-02-01 Kazakhstan ASNLS AS200590\r\n77.83.246[.]159 2024-01-31 Poland GIR-AS AS207713\r\n185.255.123[.]84 2024-01-29 Nigeria BrainStorm Network AS136258\r\n195.35.19[.]138 2024-01-26 Brazil AS-HOSTINGER AS47583\r\n89.105.201[.]91 2024-01-23 Netherlands NOVOSERVE-AS AS24875\r\n5.44.42[.]29 2024-01-23\r\nUnited\r\nArab\r\nEmirates\r\nGIR-AS AS207713\r\n193.233.193[.]240 2024-01-22 Hong Kong\r\nADCDATACOM-AS-AP\r\nAS135330\r\n94.131.97[.]202 2024-01-20\r\nCzech\r\nRepublic\r\nSTARK-INDUSTRIES\r\nAS44477\r\nhttps://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/\r\nPage 6 of 10\n\n94.140.115[.]89 2023-10-26 Latvia NANO-AS AS43513\r\n94.140.115[.]92 2023-07-05 Latvia NANO-AS AS43513\r\n77.75.230[.]221 2023-05-15\r\nCzech\r\nRepublic\r\nSTARK-INDUSTRIES\r\nAS44477\r\n161.35.199[.]2 2023-02-10 Germany\r\nDIGITALOCEAN-ASN\r\nAS14061\r\n212.73.134[.]208 2023-01-27 Bulgaria NETERRA-AS AS34224\r\n94.140.114[.]239 2023-01-10 Latvia NANO-AS AS43513\r\nTo begin with, there has been a shift in the geolocation of hosting servers. Whereas in 2023 they were mainly\r\nlocated in Europe, in 2024 there is a diversification on a global scale, encompassing Asia, Africa and South\r\nAmerica. This can be explained by the urgency of restoring the service quickly for their users. Furthermore,\r\nregarding the IPv4 addresses deployed, the group is reusing some previous addresses, such as 77.75.230[.]221,\r\nused in both 2023 and 2024.\r\nThe fact that servers are sometimes disconnected on a daily basis in 2024 suggests that organisations are heavily\r\ninvolved in countering this threat. Of note is the fact that some servers have undergone several changes in a single\r\nday, as on 8 February 2024, when four different versions have been deployed. This trend of frequent changes\r\ncontinues, suggesting that infrastructure changes are very likely in the short term. Given the frequency with which\r\nC2 IPv4 addresses are changed, it is surprising that the DDoSia client does not yet incorporate automated\r\nmechanisms for remotely changing IP addresses.\r\nAlthough the DDoS infrastructure was sometimes temporarily unavailable for several hours, these interruptions\r\ndid not prevent the NoName057(16) group from asserting its involvement in daily attacks with international\r\nrepercussions. This observation reinforces the idea that in addition to the project’s users, DDoSia also has its\r\nown servers, which participate in the attacks as active users.\r\nVictimology analysis: most impacted countries and sectors in early 2024 by\r\nNoName057(16)\r\nBased on Sekoia.io DDoSia software decryption tool, TDR analysts continue to monitor and analyse targeted\r\ndomains, to establish a victimology analysis, as already exposed in our previous blogpost.\r\nImpacted countries by DDoSia project\r\nDespite a noticeable instability of the C2 servers, the DDoSia project persisted in carrying out and claiming\r\nresponsibility for its attacks via its Telegram channels. From 1 January 2024 to 18 February 2024 (cut-off date),\r\nNoName057(16) pursued its focus on European targets, especially countries most involved in Ukraine war\r\nsupport\r\nhttps://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/\r\nPage 7 of 10\n\nLike in 2023, Ukraine remains the primary target, with intensive targeting justified by the continuing Russia-Ukraine conflict, accounting for almost a quarter of DDoSia attacks.\r\nIn January and February 2024, Finland and Italy were especially impacted by NoName057(16), highly likely for\r\ntheir NATO policies. Finland was campaigning for the 11 February presidential election during which the Russian\r\naggression of Ukraine was a central topic. As a reminder, since 24 February 2022, Finland has cut all political and\r\ndiplomatic relations with its neighbour and decided to join NATO. As for the Italian focus, it may be linked to the\r\nperceived efforts of the Italian prime minister Meloni, who helped persuade the Hungarian president, Viktor\r\nOrban, to go along with a landmark fund for Ukraine.\r\nhttps://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/\r\nPage 8 of 10\n\nNotably, on 19 and 21 February 2024, we observed NoName057(16) leveraged DDoSia to impact multiple Japan-related entities. We assess with high confidence that the focus is a retaliation to the Japan Ukrainian conference for\r\npost-war reconstruction, where a 15.8 billion yen (€98 million) aid package was announced.\r\nThus we assess with high confidence, NoName057(16) group continues to follow geopolitical developments to\r\ndetermine targeted countries very closely, almost daily.\r\nImpacted economic verticals\r\nWe analysed 700+ URLs and domains impacted by DDoS attacks by NoNames057(16). It shows more than half\r\nof the targets impact government-related entities, such as public administrations, public services, ministries or\r\nofficial websites. Such focus goes along our hypothesis where NoNames057(16) aims to impact governments for\r\ntheir policies supporting Ukraine.\r\nIt is interesting to observe that around 25% of DDoS impacted entities are related to either the transportation\r\nsector (we also noticed in 2023 days of DDoSia focus on ferry services or train-related entities) or the banking\r\nvertical (mostly private European and Ukrainian banks).\r\nConclusion\r\nThe number of users within the DDoSia project in Telegram is currently approaching 20,000 members. In\r\ncontrast, the number of total users following the NoName057(16) channels has passed 60,000, almost doubling\r\nsince the beginning of 2023. This continued growth reflects the sustained expansion of a community engaged for\r\npolitical or economic reasons.\r\nhttps://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/\r\nPage 9 of 10\n\nSince December 2023, NoName057(16) has established collaboration agreements with other hacktivist\r\ncollectives, focusing their efforts on targeted objectives. In February, the group announced an “alliance” with the\r\ngroups SoubearArmy, 22C, CyberDragon, Horus Team, UserSec and PHOENIX, notably against Italian\r\ninfrastructures. This emerging form of cooperation possibly shows a desire to strengthen its presence and\r\ninfluence in the public arena.\r\nAlthough DDoSia’s infrastructure undergoes frequent changes and new software is regularly shared, these factors\r\ndo not hinder the group’s ability to perpetuate and claim attacks on a daily basis. In the short term, it is highly\r\nlikely that the group will continue to share new software versions daily, including the C2 server change, and\r\nin the medium term, an updated version, including an evolution of the encryption mechanism, will be introduced\r\nin 2024.\r\nThank you for reading this blog post. Please don’t hesitate to provide your feedback on our publications by\r\nclicking here. You can also contact us at tdr[at]sekoia.io for further discussions.\r\nDDoSia’s IoCs\r\nYou can find the IoCs as a CSV file on our Community Github here.\r\nFeel free to read other Sekoia TDR (Threat Detection \u0026 Research) analysis here :\r\nShare\r\nCTI DDoS Hacktivism\r\nShare this post:\r\nSource: https://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/\r\nhttps://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/"
	],
	"report_names": [
		"Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts"
	],
	"threat_actors": [
		{
			"id": "a3917c91-ec7d-485f-8784-bfb1b1a78359",
			"created_at": "2023-11-08T02:00:07.13872Z",
			"updated_at": "2026-04-10T02:00:03.424164Z",
			"deleted_at": null,
			"main_name": "UserSec",
			"aliases": [],
			"source_name": "MISPGALAXY:UserSec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b05a0147-3a98-44d3-9b42-90d43f626a8b",
			"created_at": "2023-01-06T13:46:39.467088Z",
			"updated_at": "2026-04-10T02:00:03.33882Z",
			"deleted_at": null,
			"main_name": "NoName057(16)",
			"aliases": [
				"NoName057",
				"NoName05716",
				"05716nnm",
				"Nnm05716"
			],
			"source_name": "MISPGALAXY:NoName057(16)",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434133,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/87349d9c9eeb74ca2113f59932b309d6e4ed75c4.pdf",
		"text": "https://archive.orkl.eu/87349d9c9eeb74ca2113f59932b309d6e4ed75c4.txt",
		"img": "https://archive.orkl.eu/87349d9c9eeb74ca2113f59932b309d6e4ed75c4.jpg"
	}
}