{
	"id": "0d5f855f-1626-4c43-80c8-ea915e38df2a",
	"created_at": "2026-04-10T03:19:59.967355Z",
	"updated_at": "2026-04-10T13:11:34.288252Z",
	"deleted_at": null,
	"sha1_hash": "a5e530e42f16500c2ec71580d45f993d55262d4c",
	"title": "Data Insights from Russian Cyber Militants: NoName057",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1217875,
	"plain_text": "Data Insights from Russian Cyber Militants: NoName057\r\nBy L M\r\nPublished: 2024-11-20 · Archived: 2026-04-10 02:47:58 UTC\r\n8 min read\r\nNov 20, 2024\r\nPress enter or click to view image in full size\r\nIntroduction\r\nStarting from February 2022, the Ukraine-Russia conflict changed the shape of the cyber threat landscape. Many\r\nnew actors emerged and the phenomenon of the Cyber Militia raised in popularity on both sides. Starting since\r\nMarch 2022, the NoName057(16) has been one of the most active collective targeting western companies and\r\ninstitutions with DDoS attacks fostered by russian supporting cyber miliants: volunteers who donate their\r\nbandwidth, or bandwidth stone from hacked third parties, to the russian cause, hitting many high level\r\norganization especially in Italy, where they repeatedly targeted major private banks, institutions, military\r\ninfrastructures and public administrations. Recent threat actor activities reported by SentinelOne researchers on\r\nJan 23, have also targeted politically sensitive objectives such as the Czech presidential election candidates (link).\r\nTechnical analysis\r\nhttps://medium.com/@lcam/data-insights-from-russian-cyber-militants-noname057-c9b7431f8352\r\nPage 1 of 8\n\nNoName057(16) classified as a cyber collective motivated by pro-russian hacktivism. It actually represents a sort\r\nof modern cyber militia operating to mainly support state propaganda and, potentially, even other state sponsored\r\noperations.\r\nAlso known as also known as NoName05716, Nnm05716, or 05716nnm, the threat actor high level modus\r\noperandi resemble what the Killnet group is doing since the start of the Russian special-operation: abusing\r\ncomputational resources to direct bot-based denial of service attack against wester representative organizations,\r\nand also communicate and spread their achievement through social media and press.\r\nThe mediatic component of this modus operandi is even more important for NoName057(16) rather than Killnet\r\ndue to a significative difference in the groups methodological approaches: NoName057(16) heavily rely on\r\nvolunteers’ contribution to fuel and empower its offensive operations. Even Killnet relies on volunteer cyber\r\npartisans, but its structure also includes dedicated sub-groups leveraging IoT botnet infrastructures such as Mirai.\r\nEven NoName057(16) leveraged botnets, on Sept 22 Avast linked Bobik RAT infection to the Noname collective\r\ndue to the inoculation of a second stage module designed to conduct DDoS attacks (link), but the collective’s\r\noperations are much more focused on volunteers and it leverages a particular Distributed Denial of service\r\nplatform named DDosia.\r\nDDosia is a complex program designed to enable volunteers to conduct DDoS attacks against the target\r\nNoName057(16) choose: it is not just a bot. Obviously, DDosia also includes a software package, in this case a Go\r\nlang based stresser compiled for multiple operating systems and multiple architectures such as Linux x64, Linux\r\nARM, Mac x64, Mac ARM64, Windows x64, and Windows ARM64, but it actually brings more to the table:\r\nDDosia includes also support channels, community, detailed instructions, and product communication. A whole\r\necosystem of services to enable even the involvement even of non technical personnel.\r\nFigure. Example of support channel from DDosia community\r\nThis approach is not new at all in the revived threat landscape we are facing since the start of the Russian-Ukrainian kinetic operations. Similar approaches have been taken since day one by the Ukrainian government,\r\nwhich launched a state sponsored cyber militia named “The IT ARMY of Ukraine”. In fact, this collective were,\r\nand still is, leveraging a similar application: the Liberator app, a fully automated DDoS bot project aimed to\r\nemploy volunteers’ computational resources to target Russian organizations with distributed denial of service\r\nattacks.\r\nHowever, DDosia represents a step ahead in this approach due to the inclusion of payment systems to reward the\r\ncyber partisans with cryptocurrency, mixing and reinforcing the ideological motivation with the economical gain\r\nto expand their user base, and their consequent impact.\r\nhttps://medium.com/@lcam/data-insights-from-russian-cyber-militants-noname057-c9b7431f8352\r\nPage 2 of 8\n\nFigure. DDosia improvement in reward/payment system (March 23)\r\nDDosia program has been well described by Radware back in October 22 (link), along with estimation of pps\r\ngenerated by the single bots, but here we decided to focus on peculiarities we directly noticed through the analysis\r\nof the bot and the monitoring of their operations\r\nPeople Go Stresser 2.0\r\nThe current version of the DDosia bot is named “People Go Stresser 2.0” an it is compiled with Go 1.19.2 within\r\na Windows machine using the local user “ron”. Like the previous python version, even this bot version supports\r\nboth L7 and L4 attack techniques.\r\nhttps://medium.com/@lcam/data-insights-from-russian-cyber-militants-noname057-c9b7431f8352\r\nPage 3 of 8\n\nFigure. DDosia bot “SayHello” snippet (Linux64)\r\nThe main modules of the bot are divided in service and management functions (e.g. “UserInfo”, “GetRealIp”,\r\n“StartJobs”), command and control functions (e.g. “Login”, “SetStatToBot”, “GetTargets”, “ReloadTargets”)\r\nhelper functions (e.g. “GetHashFromFile”, “SayHallo”, “GetRealIp”, “GetMyLocation”), and request generation\r\n(e.g. “HttpJob”, “FastRequest”, “GenNumber”).\r\nGet L M’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIn general DDosia bots currently support four types of DDoS techniques.\r\n+-------------+------+-------------------------------------------------------------------------------\r\n| Mode | Type | Description\r\n+-------------+------+-------------------------------------------------------------------------------\r\n| http | L7 | Classical HTTP GET/POST request generation, but with advanced customization an\r\n| | | Bots receive precise HTTP request patterns to customize with host-based random\r\n+-------------+------+-------------------------------------------------------------------------------\r\n| nginx_loris | L7 | Nginx Loris targets web servers running Nginx software using slow-rate attacks\r\n| | | This attack exploits how Nginx handles incomplete HTTP requests, tying up reso\r\n+-------------+------+-------------------------------------------------------------------------------\r\n| tcp | L4 | Classic TCP-SYN flooding. Bots forge TCP segments with the SYN flag set and sp\r\n+-------------+------+-------------------------------------------------------------------------------\r\n| http2 | L7 | Similar to the HTTP module but utilizes the modern HTTP/2 protocol for enhance\r\n+-------------+------+-------------------------------------------------------------------------------\r\nData Insights\r\nhttps://medium.com/@lcam/data-insights-from-russian-cyber-militants-noname057-c9b7431f8352\r\nPage 4 of 8\n\nData collected from recent attack operations shows the NoName057(16) collective strongly rely on L7 attacks the\r\nmost of the time, around 46.9% of the attacks have been conducted using the above mentioned “http” mode.\r\nDespite that, almost the other half of their attack operations involves L4 DDoS techniques, in fact, the classical\r\nTCP-SYN technique has been abused 39.7% of the time. Less frequently, but consistently, NoName057(16) also\r\nleveraged the slowloris mode of attack “nginx_loris”, in about 13.0% of the attempts. The usage of HTTPS2\r\nprotocol is still marginal at the moment: the data we collected shows a negligible usage of the “http2” module in\r\nabout 0.04% of the attacks.\r\nAnalyzing the distribution of target services we noticed that encrypted web services are among the favorite targets\r\nwith over 69.4% of the attacks directed to the tls/443 network port, followed by unencrypted ones with 14.6% for\r\nboth http/80 and http/8080.\r\nSurprisingly, http based services are not the only target of the NoName057(16) attack operations, they also target\r\nSSH administration services on port tcp/22 (1.6%), file transfer services on port ftp/21 (1.6%), and encrypted\r\nemail services on port imaps/993 and pop3s/995 (2.5%). Such kinds of services are typically less protected from\r\nmalicious bot traffic and attacks rather than the web counterpart.\r\nhttps://medium.com/@lcam/data-insights-from-russian-cyber-militants-noname057-c9b7431f8352\r\nPage 5 of 8\n\nFigure. Distribution of attack modules (left) and targeted services (right)\r\nConclusion\r\nCyber partisan — or cyber militia — operations became a huge threat to our organizations and institutions.\r\nGroups like NoName057(16) are thriving in the cybercriminal underground and getting more sophisticated and\r\ninclusive.\r\nAs we noticed tracking the NoName057(16), they evolved their presence in the underground collecting support for\r\nthousands of hacktivists actively supporting the Russian regime, and mixing both ideology with economic\r\nincentives and reward programs.\r\nAlso, such threats are not only dangerous for public administration and government entities: as we observed in the\r\npast month, NoName057(16) heavily targeted even private companies and banking groups in Italy, blurring the\r\nlines between hacktivism and financial motivated intents.\r\nPrompt intelligence on these criminal operations could help the CISOs of the targeted companies in the difficult\r\ntask of mitigating the hacktivists attack waves in the first hours, avoiding service disruption and damages.\r\nIndicator of Compromise\r\nHashes:\r\nd8631b2830af376932be65a5a7785df3bda93798 d_linux_arm\r\n21f9cfdf4f6e85cf8834e1a4718395fe586d3b49 d_linux_x64\r\n9b387e0ca5489f81b095f6719337d1fe13ebf60f d_mac_arm64\r\ndfae1df231ba8e8abfba4886df35a64c1d61d53d d_mac_x64\r\n8e544c6b237da88467028d315012bd4c71e03c71 d_win_arm64.exe\r\n9ab710153ddfa8fe87a9b13b653f37869247347d d_win_x64.exe\r\nhttps://medium.com/@lcam/data-insights-from-russian-cyber-militants-noname057-c9b7431f8352\r\nPage 6 of 8\n\nYara Rules\r\nrule go_stresser_20_x64 {\r\n meta:\r\n author = \"@luc4m\"\r\n date = \"2023-04-13\"\r\n hash_md5 = \"c344f584881e90d426235553fedacff3\"\r\n tlp = \"CLEAR\"\r\n yarahub_license = \"CC0 1.0\"\r\n yarahub_reference_md5 = \"c344f584881e90d426235553fedacff3\"\r\n yarahub_rule_matching_tlp = \"CLEAR\"\r\n yarahub_rule_sharing_tlp = \"CLEAR\"\r\n yarahub_uuid = \"873ebbf5-9f83-4cf5-9670-b159211dd3c2\"\r\n strings:\r\n $x64_0 = {f7 d8 49 c1 f8 3f 4d 21 e8 49 01 c0 4c 39 de 74 04}\r\n $x64_1 = {18 b9 ?? ?? ?? ?? e8 e2 0b 00 00 48 8b 6c 24 ?? 48 83 c4 20 c3}\r\n $x64_2 = {18 b9 ?? ?? ?? ?? e8 e2 0b 00 00 48 8b 6c 24 ?? 48 83 c4 20 c3}\r\n $x64_3 = {f7 da 49 c1 fa 3f 4d 21 e2 49 01 c2 ?? ?? 48 39 f7 74 04}\r\n $x64_4 = {6c 24 40 48 89 44 24 ?? 48 89 7c 24 ?? 31 d2 45 31 c0 eb 17}\r\n $x64_5 = {8d 5e ?? 45 69 e1 93 01 00 01 44 0f b6 2c 30 47 8d 0c 2c 4c 89 de 49 39 f0 7e 0b}\r\n $x64_6 = {48 89 4c 24 ?? 48 89 7c 24 ?? 44 89 54 24 ?? 89 54 24 ?? 41 39 d1 75 44}\r\n $x64_7 = {08 48 ?? 5c 24 10 e8 c9 08 06 00 48 8b 44 24 ?? 48 8b 5c 24 ?? eb bd}\r\n $x64_8 = {48 f7 c7 01 00 00 00 45 0f 45 d1 48 d1 ff 45 0f af c0 45 89 d1 48 85 ff 7f df}\r\n $x64_9 = {0f b6 14 31 43 8d 14 11 4c 89 c6 ?? 48 39 f7 7f e3}\r\n $s_0 = \"HttpJob\" wide ascii\r\n $s_1 = \"SayHallo\" wide ascii\r\n $s_2 = \"StartJob\" wide ascii\r\n $s_3 = \"FastRequest\" wide ascii\r\n $s_4 = \"SetStatToBot\" wide ascii\r\n $s_5 = \"GetTargets\" wide ascii\r\n condition:\r\n filesize \u003c 10MB and (5 of ($x64_*)) and (3 of ($s_*))\r\n}\r\nrule go_stresser_20_generic {\r\n meta:\r\n author = \"@luc4m\"\r\n date = \"2023-04-13\"\r\n hash_md5 = \"ac0d5e1ec2664ad36db8877078bcf6c3\"\r\n tlp = \"CLEAR\"\r\n yarahub_license = \"CC0 1.0\"\r\n yarahub_reference_md5 = \"ac0d5e1ec2664ad36db8877078bcf6c3\"\r\n yarahub_rule_matching_tlp = \"CLEAR\"\r\n yarahub_rule_sharing_tlp = \"CLEAR\"\r\nhttps://medium.com/@lcam/data-insights-from-russian-cyber-militants-noname057-c9b7431f8352\r\nPage 7 of 8\n\nyarahub_uuid = \"873ebbf5-9f83-4cf5-9670-b159211dd3c2\"\r\n strings:\r\n $s_0 = \"HttpJob\" wide ascii\r\n $s_1 = \"SayHallo\" wide ascii\r\n $s_2 = \"StartJob\" wide ascii\r\n $s_3 = \"FastRequest\" wide ascii\r\n $s_4 = \"SetStatToBot\" wide ascii\r\n $s_5 = \"GetTargets\" wide ascii\r\n condition:\r\n filesize \u003c 10MB and (5 of ($s_*))\r\n}\r\nSource: https://medium.com/@lcam/data-insights-from-russian-cyber-militants-noname057-c9b7431f8352\r\nhttps://medium.com/@lcam/data-insights-from-russian-cyber-militants-noname057-c9b7431f8352\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@lcam/data-insights-from-russian-cyber-militants-noname057-c9b7431f8352"
	],
	"report_names": [
		"data-insights-from-russian-cyber-militants-noname057-c9b7431f8352"
	],
	"threat_actors": [],
	"ts_created_at": 1775791199,
	"ts_updated_at": 1775826694,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5e530e42f16500c2ec71580d45f993d55262d4c.pdf",
		"text": "https://archive.orkl.eu/a5e530e42f16500c2ec71580d45f993d55262d4c.txt",
		"img": "https://archive.orkl.eu/a5e530e42f16500c2ec71580d45f993d55262d4c.jpg"
	}
}