{
	"id": "3540c2bc-294f-4ce4-9091-a4dd455e6346",
	"created_at": "2026-04-06T00:18:22.585399Z",
	"updated_at": "2026-04-10T13:12:37.966003Z",
	"deleted_at": null,
	"sha1_hash": "9b8b5476fa94f41cf884dc8c6601d6a7f2934840",
	"title": "Following NoName057(16) DDoSia Project’s Targets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2426565,
	"plain_text": "Following NoName057(16) DDoSia Project’s Targets\r\nBy Amaury G.,\u0026nbsp;Charles M.\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2023-06-29 · Archived: 2026-04-05 13:10:35 UTC\r\nTable of contents\r\nContext\r\nHow DDoSia Project work\r\nOverview of channels used\r\nRegister and download sample\r\nExecute the sample\r\nDDoSia Project’s analysis: how to track targets list\r\nNetwork interactions\r\nReverse engineering on the sample\r\nAnalysis of the decrypted content\r\nAnalysis of targeted websites and countries\r\nConclusion\r\nIndicators Of Compromise (IoCs)\r\nContext\r\nDDoSia is a Distributed Denial of Service (DDoS) attack toolkit, developed and used by the pro Russia hacktivist nationalist\r\ngroup NoName057(16) against countries critical of the Russian invasion of Ukraine.\r\nThe DDoSia project was launched on Telegram in early 2022. The NoName057(16) main group main Telegram channel\r\nreached more than 45,000 subscribers as of June 2023, while the DDoSia project channels reached over 10,000 users.\r\nAdministrators posted instructions for potential volunteers who want to participate in projects, and they added the possibility\r\nto pay in cryptocurrency for users who declare a valid TON wallet based on their contribution to the DDoS attacks.\r\nFigure 1. Development timeline of NoName057(16) and DDoSia Project (click to enlarge)\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 1 of 17\n\nThe administrators of the group as well as the community are very active. They were notably observed conducting DDoS\r\nattacks against European, Ukrainian, and U.S. websites of government agencies, media, and private companies. Regularly,\r\nthe group posts messages claiming successful attacks.\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 2 of 17\n\nFigure 2. Message published on the NoName057(16) Telegram group, claiming a successful attack against the\r\nthe French National Assembly and the Ukrainian Cabinet of Ministers websites\r\nDDoSia was initially written in Python using CPU threads as a way to launch several network requests at the same time.\r\nSince the first version, DDoSia relied on HTTP protocol for Command \u0026 Control (C2) communication, with JSON\r\nconfigurations distributed by the C2 server, and is available for several operating systems. On 18 April 2023, Avast\r\npublished an article analyzing network flow between DDoSia users and the C2. On 19 April 2023, DDoSia administrators\r\nreleased a new version of their sample that implements an additional security mechanism to conceal the list of\r\ntargets, which is transmitted from the C2 to the users. Said mechanism is described in the next section.\r\nHow DDoSia Project work\r\nOverview of channels used\r\nDDoSia’s main communication occurs via the NoName057(16)’s Telegram channel, with one channel in Russian, counting\r\nmore than 45,000 subscribers, and a second in English. Users can join the DDoSia Project group with the link\r\nhxxps://t[.]me/+fiTz615tQ6BhZWFi, gaining access to 7 different channels. NoName057(16) set up a separate Telegram bot\r\nfrom the DDoSia Projects group, available at hxxps://t[.]me/DDosiabot, which allows interaction via predefined commands.\r\nA summary of these channels is available in the Figure 3 below:\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 3 of 17\n\nFigure 3. List of active channels of NoName057(16) and DDoSia Project (click to enlarge)\r\nThis figure includes an English translation of the channels, originally in Russian.\r\nRegister and download sample\r\nThe channel DDoSia – manuals + up-to-date malware includes a manual on the actions that need to be carried out. The first\r\nstep is to register via the Telegram bot @DDosiabot. Although dedicated channels for English support exist, the bot is only\r\navailable in Russian.\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 4 of 17\n\nFigure 4. Screenshot of the chat with @DDosiabot\r\nAfter starting the discussion with the /start command, the bot requires a TON wallet to receive cryptocurrency. As specified\r\nin the tutorials presented by the administrators, it is possible to create a TON wallet from a Telegram Bot named\r\n@CyptoBot.\r\nOf note, no wallet was provided for this investigation. The bot then transmits two files:\r\nclient_id.txt: a file containing information to uniquely identify a user. This is a hash starting with $2a$16, generated\r\nby a Bcrypt password-hashing function;\r\nhelp.txt: a file containing several indications on the steps to follow to use the sample as well as Telegram links for\r\ninstallation tutorials.\r\nIn addition, one of the bot’s functionalities allows to view statistics of its own account as well as those of all bot users\r\ncombined. It is also possible to ask to recreate the client_id.txt file.\r\nNext step is to retrieve the sample to launch.\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 5 of 17\n\nFigure 5. Screenshot of the sample\r\nAs shown in Figure 5, this is an archive in ZIP format, named d.zip, containing the client sample. This investigation focuses\r\non the archive released on 19 April 2023. The summary of its contents is available below:\r\nFilename Filetype\r\nd_linux_amd64 ELF 64-bit LSB executable, x86-64\r\nd_linux_arm ELF 32-bit LSB executable, ARM\r\nd_mac_amd64 Mach-O 64-bit x86_64 executable\r\nd_mac_arm64 Mach-O 64-bit arm64 executable\r\nd_windows_amd64.exe PE32+ executable (console) x86-64 for Microsoft Windows\r\nd_windows_arm64.exe PE32+ executable (console) Aarch64 for Microsoft Windows\r\nTable 1. Summary of the content of the ZIP file\r\nExecute the sample\r\nOnce the user has all the necessary files to participate in DDoS attacks, the client_id.txt file must be placed in the same\r\nfolder as the selected executable. In this example, Sekoia.io analysts used d_windows_amd64.exe. Once the sample is\r\nexecuted, it is a command line prompt, in which it is possible to see the current number of targets, as well as a summary of\r\nthe network interactions carried out towards a target. The English translation of the command line is as follows:\r\nGo-Stresser версия 1.0 | PID 5420 © NoName057(16)\r\n__________________________________________________\r\nAuthorization passed successfully\r\nReceived targets: 54\r\nSuccessful responses (http code 200): 0\r\nTotal responses received: 565\r\nTotal requests sent: 1432\r\nDDoSia Project’s analysis\r\nAfter downloading the necessary files, Sekoia.io analysts set up a dedicated infrastructure to retrieve the list of targets.\r\nNetwork interactions\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 6 of 17\n\nAfter setting up the infrastructure, we performed network sniffing to check what requests were sent between the client and\r\nthe C2. The summary of network flow is available in the diagram below:\r\nFigure 6. Summary of the network flow between DDoSia user and DDoSia C2\r\nWhen the malware is launched, it makes a POST request to the URL hxxp://[IP]/client/login to authenticate with the C2. The\r\nUser-Hash field corresponds to the content of the client_id.txt file, starting with $2a$16$;\r\nThe Client-Hash field is a value generated by the sample, which contains the SHA256 sum of the machine’s UID, as well as\r\nthe PID of the malware. This value is located in a folder located in the same location as the executable, in a folder named\r\nuid.\r\nPOST /client/login HTTP/1.1\r\nHost: 94[.]140.114.239\r\nUser-Agent: Go-http-client/1.1\r\nContent-Length: 251\r\nClient-Hash: xxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxx\r\nContent-Type: application/json\r\nUser-Hash: $2a$16$xxxxxxxxxxxxxxxxx\r\nAccept-Encoding: gzip\r\n{“location“: “UER8zRkg[…]lQ6i8s=”}\r\nThe C2 then confirms the authentication request and provides a token to the client, as below:\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 7 of 17\n\nHTTP/1.1 200 OK\r\nServer: nginx/1.18.0 (Ubuntu)\r\nDate: Tue, 25 Apr 2023 19:04:09 GMT\r\nContent-Type: text/plain; charset=utf-8\r\nContent-Length: 19\r\nConnection: keep-alive\r\nVary: Origin\r\nAccess-Control-Allow-Origin:\r\nAccess-Control-Allow-Credentials: true\r\nAccess-Control-Expose-Headers: Link\r\n1682xxxxxxxxxxxxxx\r\nConsequently, the client sends a GET request to the C2 hxxp://[IP]/client/get_targets, this time specifying the Time field,\r\nwhose value is the one previously sent by the C2, automatically modified by the client.\r\nGET /client/get_targets HTTP/1.1\r\nHost: 94[.]140.114.239\r\nUser-Agent: Go-http-client/1.1\r\nClient-Hash: xxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxx\r\nContent-Type: application/json\r\nTime: 1682xxxxxxxxxxxxxx\r\nUser-Hash: $2a$16$xxxxxxxxxxxxxxxxx\r\nAccept-Encoding: gzip\r\nThis time, the C2 returns a dictionary in JSON format. On one hand the previous but modified token, and on the other hand\r\na data field in which there is an encrypted text. This field contains the list of targets:\r\nHTTP/1.1 200 OK\r\nServer: nginx/1.18.0 (Ubuntu)\r\nDate: Tue, 25 Apr 2023 19:04:15 GMT\r\nContent-Type: text/plain; charset=utf-8\r\nContent-Length: 69595\r\nConnection: keep-alive\r\nVary: Origin\r\nAccess-Control-Allow-Origin:\r\nAccess-Control-Allow-Credentials: true\r\nAccess-Control-Expose-Headers: Link\r\n{“token“: 1682xxxxxxxxxxxxxx, “data“: “Dm6CFMc9Lk4wrY2[…]XW2ZqF2CgzTboVEQ==”}\r\nIn this example, the value of the data fields is shortened, as its size is around 70, 000 characters. The next section provides\r\nfurther details related to data encryption’s mechanism.\r\nReverse engineering on the sample\r\nAt this stage, the retrieved list of targets is encrypted. This reverse engineering analysis focuses on the\r\nd_windows_amd64.exe executable.\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 8 of 17\n\nThis version of DDoSia was written in Go language. Contrary to usually seen Go binaries, this new version does not provide\r\nthe expected result and decompilation errors are observed. Focusing on the functions performing the HTTP requests and\r\ndecryption process results in the following graph:\r\nFigure 7. Graph of instructions after decompilation in IDA software\r\nIn this graph, brown parts correspond to instructions which are not considered in a function, which means that it is not\r\npossible to interpret them. Despite this, several functions seem relevant. The first interesting function initiates a structure\r\nwhere the IPv4 address and different URLs are called:\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 9 of 17\n\nFigure 8. Initiates a structure which contains IPs and URLs to request\r\nThe Figure 9 is an extract of the GetTargets function, where a GET request is created and then sent. After unmarshalling the\r\nJSON, the Decrypt_AESGCM function is called. It makes the authentication via the MakeClientLogin function, which, if\r\nsuccessful, retrieves the targets.\r\nFigure 9. Initiates the GoStresser tool authentication\r\nThis Figure 10 contains two functions which were automatically renamed crypto/AES.NewCipher and\r\ncrypto/AES.newGCMWithNonceAndTagSize. Their purpose is to initiate the AES encryption.\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 10 of 17\n\nFigure 10. Initiate the AES encryption\r\nThis first step allowed Sekoia.io analysts to identify that data are AES-GCM encrypted. As is, finding the generation process\r\nof the key and of the IV are difficult to understand. To bypass this step, it was decided to use a dynamic analysis approach of\r\nthe sample.\r\nAs a reminder, the client receives a JSON with two fields: an integer, named token and a base64 encoded field, named data.\r\nDynamic analysis allowed for the calculation of all necessary values to decrypt the data:\r\nKey calculation:\r\nThe value of the token is divided it by 5 (whole division);\r\nThe result is added to the User-Hash (that begins by $2a$16$);\r\nTake the last 32 characters of the User-Hash and convert them in a hex string.\r\nIV calculation\r\nTake the ciphertext, decode it in base64;\r\nTake the 12 first characters and convert them in bytes.\r\nTAG calculation\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 11 of 17\n\nTake the ciphertext, decode it in base64;\r\nTake the 16 last characters convert them in bytes.\r\nFinally, the ciphertext corresponds to the value of the data field, from which the first 12 and last 16 chars are removed. Now\r\nit is possible to get the value of the data field in plain text.\r\nAnalysis of the decrypted content\r\nOnce the data is decrypted, it is possible to see that it is a dictionary in JSON format.\r\nThe dictionary is divided into two parts. The first field is called randoms, and the second field is called targets. Targets field\r\ncontains an integer array of fields, in which several of them are specific:\r\nTargets field\r\n{\r\n“target_id“:”645026fc0c81901a3b3aa4f5”,\r\n“request_id“:”645026fd0c81901a3b3aa4f6”,\r\n“host“:”id[.]kyivcity.gov.ua”,\r\n“ip“:”104[.]18.20.41”,\r\n“type“:”http”,\r\n“method“:”POST”,\r\n“port“:443,\r\n“use_ssl“:true,\r\n“path“:”/login/email”,\r\n“body“:{\r\n“type“:”str”,\r\n“value“:”login=$_1%40gmail.com\\u0026password=$-1\\”\r\n},\r\n“headers“:null\r\n}\r\nIn addition to the IPv4 address, there are fields to target specific URLs. On some targets, it is possible to find that beyond\r\nthe metadata, content can be added to the DDoS request thanks to the body field, as shown in the JSON data above.\r\nRandoms field\r\nThis table contains a list of fields that appear to be used to generate random strings in sent requests.\r\n{\r\n“name“:”Все персонажи 6-12”,\r\n“id“:”62d8fccfb44b5774ee96ec0a”,\r\n“digit“:true,\r\n“upper“:true,\r\n“lower“:true,\r\n“min“:6,\r\n“max“:12\r\n}\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 12 of 17\n\nIn the target example above, in the body[“value”] field, we can find variables such as $_1 or $-1 that appear to be replaced\r\nby these random strings. It is highly likely that this random data generation allows to bypass the cache mechanisms of the\r\nC2 target by making network requests different from each other.\r\nAnalysis of targeted websites and countries\r\nAfter the values sent by DDoSia C2 server were successfully decrypted, TDR analysts developed a tool automatically\r\ngathering targeted domains, allowing a victimology analysis. The following section analyzes the data, over a period from\r\n8 May to 26 June 2023.\r\nThe following graph shows the most targeted countries, based on the TLD of the targeted urls. Commercial or domains\r\nunrelated to a country-level TLD are excluded (.com, .info, .net, .org, .space).\r\nFigure 11. Percentage of top-level domain by targeted countries (click to enlarge)\r\nBased on this graph, we clearly identify that the pro-Kremlin hacktivist group NoName057(16), primarily focuses on\r\nUkraine and NATO countries, including the Eastern Flank (Lithuania, Poland, Czech Republic and Latvia). It is highly likely\r\nthat this stems from the fact that those countries are the most vocal in public declarations against Russia and pro-Ukraine, as\r\nwell as providing military support and capabilities. \r\nA second group, mostly Western countries, is the secondary DDoSia target, including France, the United Kingdom, Italy,\r\nCanada and other EU countries, almost certainly as they supported Ukraine both politically, militarily and economically\r\nsince the beginning of the conflict.\r\nSekoia.io in-house tool detected a total of 486 different websites impacted. The following graph shows the top 50:\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 13 of 17\n\nFigure 12. Top 50 targeted websites (click to enlarge)\r\nFrom 8 May to 26 June 2023, few conclusions can be drawn:\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 14 of 17\n\nThe top 2 targets are Ukrainien websites, targeted twice as often as the others.The first victim; zno.testportal.com[.]ua\r\nis related to testportal.gov[.]ua, a state institution (Ukrainian Center for Educational Quality Assessment) which\r\ndelivers external independent evaluation of students.\r\nThe second domain, e-journal.iea.gov[.]ua is a online education platform created by the Ukrainian government to\r\nface COVID restrictions.\r\nBased on this statistical observation, Sekoia.io analysts assess it is plausible that NoName057(16) targeted education-related\r\nresources during the exam period (May and June), to maximize the media coverage of their DDoS operation.\r\nAmong the other impacted domains, we identify multiple economic sectors, including education, financial and transport\r\nsectors, as well as governmental entities. Indeed, two of the targets within the top 10 are related to the financial sector; the\r\nAXA bank (top 5) and the BPCE group (top 7). Public entities such as the French Senate or the Italian government can also\r\nbe found among the most targeted websites. Similarly, few domains belonging to the French transport group RATP were\r\nequally actively targeted.\r\nPMC Wagner websites targeted\r\nSekoia.io analysts observed that the only targets throughout the day of the 24 June 2023 were wagnercentr[.]ru and\r\nwagner2022[.]ru, congruent with the attempted offensive from the Wagner group in Russia. This is the first observed attack\r\nagainst one single victim, as the NoName057(16) group usually targets an average of 15 different victims per day. Another\r\nconsiderable difference can be noted, while they usually do so for other victims, the attackers did not communicate about the\r\nattack on their Telegram channel.\r\nAs a nationalist hacktivist group, NoName057(16) is very reactive to political communication. For example, on 21 June\r\n2023, shortly after French president Macron announced the incoming delivery of air defense system to Kiev, our tool\r\ndetected multiple targets related to the French transport group RATP, targeting the following websites: www.ratp[.]fr,\r\nwww.ratp-m2e[.]fr, mutuelleratp[.]fr, www.cgt-ratp[.]fr, www.transfert-ratp[.]fr. This reaction likely reflects NoName’ stand\r\nto quickly and systematically conduct their campaigns as retaliation to what they perceive being a provocation or an offense\r\nto Russia.\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 15 of 17\n\nFigure 13. Screenshot of a Telegram message from NoName057(16) channel, published on 21 June 2023\r\nThe English translation of the body of this message is as follows:\r\n🔻Macron smiled blissfully and announced that the SAMP/T anti-aircraft missile system was delivered to Ukrainian neo-Nazis and is ready for use.\r\nThis weapon, which France supplies jointly with Italy (“Macron-Macaron” is something like that😉) as a result, of course,\r\nwill be either taken away or destroyed by the Russian troops, so the French president is happy about it…😈\r\nConclusion\r\nThe NoName057(16) group continues to update the DDoSia Project. Sekoia.io analyst’s observations concur with Avast’s\r\nanalysis and provide an update on the newly implemented encryption mechanism.\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 16 of 17\n\nNoName057(16) is making efforts to make their malware compatible with multiple operating systems, almost certainly\r\nreflecting their intent to make their malware available to a large number of users, resulting in the targeting of a broader set of\r\nvictims.\r\nSekoia.io analysts assess that strengthening the security of their software is part of NoName057(16)’s efforts to continuously\r\ndevelop their capabilities, almost certainly driven by their active community as well as the increasing scrutiny of their\r\nactivities from the CTI community. It is highly likely we will observe further developments in the short term.\r\nIndicators Of Compromise (IoCs)\r\nIoC Name Info SHA256 sum\r\nd_linux_amd64\r\nDDoSia\r\nmalware\r\n761075da6b30bb2bcbb5727420e86895b79f7f6f5cebdf90ec6ca85feb78e926\r\nd_linux_arm\r\nDDoSia\r\nmalware\r\nfae9b6df2987b25d52a95d3e2572ea578f3599be88920c64fd2de09d1703890a\r\nd_mac_amd64\r\nDDoSia\r\nmalware\r\n8e1769763253594e32f2ade0f1c7bd139205275054c9f5e57fefd8142c75441f\r\nd_mac_arm64\r\nDDoSia\r\nmalware\r\n9a1f1c491274cf5e1ecce2f77c1273aafc43440c9a27ec17d63fa21a89e91715\r\nd_windows_amd64.exe\r\nDDoSia\r\nmalware\r\n726c2c2b35cb1adbe59039193030f23e552a28226ecf0b175ec5eba9dbcd336e\r\nd_windows_arm64.exe\r\nDDoSia\r\nmalware\r\n7e12ec75f0f2324464d473128ae04d447d497c2da46c1ae699d8163080817d38\r\n94[.]140.114.239\r\nDDoSia\r\nC2\r\nN/A\r\nTake a tour of our XDR platform\r\nThank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please contact us\r\non tdr[at]sekoia.io\r\nFeel free to read other TDR analysis here :\r\nCTI DDoS Europe Hacktivism\r\nShare this post:\r\nSource: https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nhttps://blog.sekoia.io/following-noname05716-ddosia-projects-targets/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/"
	],
	"report_names": [
		"following-noname05716-ddosia-projects-targets"
	],
	"threat_actors": [
		{
			"id": "b05a0147-3a98-44d3-9b42-90d43f626a8b",
			"created_at": "2023-01-06T13:46:39.467088Z",
			"updated_at": "2026-04-10T02:00:03.33882Z",
			"deleted_at": null,
			"main_name": "NoName057(16)",
			"aliases": [
				"NoName057",
				"NoName05716",
				"05716nnm",
				"Nnm05716"
			],
			"source_name": "MISPGALAXY:NoName057(16)",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434702,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b8b5476fa94f41cf884dc8c6601d6a7f2934840.pdf",
		"text": "https://archive.orkl.eu/9b8b5476fa94f41cf884dc8c6601d6a7f2934840.txt",
		"img": "https://archive.orkl.eu/9b8b5476fa94f41cf884dc8c6601d6a7f2934840.jpg"
	}
}