{
	"id": "fca1303c-ea54-4f12-808a-f04aaa3b5b60",
	"created_at": "2026-04-06T00:21:24.960057Z",
	"updated_at": "2026-04-10T03:34:24.397205Z",
	"deleted_at": null,
	"sha1_hash": "de9bd6d23e60d6a8e6ad55ce5eccd11dc80e56a7",
	"title": "DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1728234,
	"plain_text": "DDosia Project: How NoName057(16) is trying to improve the\r\nefficiency of DDoS attacks\r\nBy Martin a MilánekAuthor at Avast Threat Labs\r\nArchived: 2026-04-05 15:48:33 UTC\r\nThrough their DDosia project, pro-Russia hacktivist group NoName057(16) is still conducting DDoS attacks,\r\nmostly with the goal to take offline websites of institutions and companies in European countries. On its Telegram\r\nchannels, the group openly communicates the fact that they perform their actions in support of Russia in the war\r\nagainst Ukraine, and it’s apparent that their activities will further continue during the war. The group has been\r\noffering payments in cryptocurrencies to people who install their DDosia tool in order to participate in their\r\nattacks. We want to create awareness that people who have NoName057(16)’s DDoS tool installed on their\r\ncomputer not only participate in cybercrime, but also support the groups’ warfare activities.\r\nWe detect and block DDosia to make the internet a safer place, and we continue to track DDoS victims and\r\nconfigurations of the DDosia botnet because such information helps to mitigate the impact of DDoS attacks.\r\nSince the first Python version needed to be more efficient, the group released a new Go variant of bots in late\r\n2022. SentinelLabs has described the first variant of the Go implementation, including the C2 servers at that time\r\nactive. A few days later, Team Cymru published an investigation about the botnet architecture describing the\r\nDDoS attacks as a largely static infrastructure.\r\nGiven the above findings, it is apparent that the C2 structure is still evolving. The primary purpose of the\r\nfollowing analysis is to explore the C2 architecture and current communication process between the botnet and C2\r\nservers. Therefore, we have been actively monitoring the DDosia botnet and have found several innovations in the\r\nbot implementation and the botnet infrastructure. The C2 infrastructure is composed of one central server and two\r\nproxies forwarding bot requests. This, combined with an update mechanism, makes the botnet rather resilient to\r\ndisruptions. The latest versions also include a bot authentication mechanism for all the C2 communication along\r\nwith IP address blocklisting, presumably to hinder tracking of the project.\r\nImplementation Overview\r\nThe first implementation of DDosia came into the world around July 2022. Being authored by the\r\nNoName057(16) group, there was interestingly a brief coexistence with the Bobik botnet before the botnet was\r\ndismantled, presumably in favor of DDosia. It was written in Python using threads as a means of parallelism;\r\nnevertheless, it was still lacking in terms of efficacy. Since the first version, DDosia relied on HTTP protocol for\r\nC2 communication, with JSON configs distributed by the servers.\r\nThe lack of efficacy presumably motivated changes in DDosia, namely the move from Python to Go that we saw\r\nin late 2022, with SentinelLabs describing the first Go variants. The main advantage of Go in comparison to\r\nPython is direct compilation into native code along with the absence of Python’s GIL that may severely affect the\r\nperformance of threaded code in Python. Interestingly, these new versions are also multi-platform, as we’ve seen\r\nhttps://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/\r\nPage 1 of 9\n\nvariants for all major operating systems (Windows, macOS, Linux, Android). Evidently, the bot development is\r\nstill in progress, as we see new functionalities, such as HTTP authentication, being added to DDosia along with\r\nslight changes in the configuration file.\r\nConsole output of the Go-Stresser version 1.0 – variant 1\r\nGo Implementation\r\nLet’s take a closer look at the second variant of DDosia bot from March 6, 2023, that came up with the\r\nauthentication mechanism, presumably to combat researchers snooping for lists of targets.\r\nConsole output of the Go-Stresser version 1.0 – variant 2\r\nBuild Package\r\nThe aforementioned variant has support for multiple architecture as well as multiple platforms; unsurprisingly, it is\r\nalso written in Go. The builds are distributed via the Telegram channel “Project DDosia” in the form of a zip file\r\nwith the builds as follows:\r\nWindows x64 and arm64\r\nLinux x64 and arm64\r\nmacOS x64 and arm64\r\nhttps://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/\r\nPage 2 of 9\n\nThe names of the executable are changed sometimes; there is a list of the captured names:\r\ndosia_app_(windows|macos|linux)_(x64|arm64)\r\nd_(win|mac|linux)_(x64|arm64)\r\npd_(win|mac|linux)_(x64|arm64)\r\ndosia_(win|mac|linux)_(x64|arm64)\r\nExecution Workflow\r\nA working dir of the bot executable must contain a text file client_id.txt with the User-Hash of the\r\nregistered user. The form of the User-Hash is a BCrypt hash with these parameters $2a$16$ .\r\nThe first outcome communication is to use nordvpn.com to get detailed information about the bot IP address that\r\nis sent to the C2 server. The second outcome is to use C2 as a POST method to /login URL with data\r\nrepresenting information about the bot IP, user ID, and bot identification.\r\nLogin to C2\r\nThe Client-Hash is the result of a library that returns the OS native machine UUID/GUID. It is an open-source\r\nimplementation of Go MachineID by Denis Brodbeck. The Client-hash has a suffix representing the current\r\nPID (5481 in this case).\r\nLogin response from C2 during login\r\nIf the authentication is successful, C2 returns HTTP/1.1 200 OK with a token in the form of epoch/Unix\r\ntimestamp, and the target configuration can then be downloaded via GET /client/get_targets . The first variant\r\nof the DDosia bot does not implement any authentication mechanism, but the valid token is necessary to get the\r\ntarget configuration successfully in the current C2 architecture; otherwise, 401 Unauthorized is returned.\r\nhttps://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/\r\nPage 3 of 9\n\nGetting targets from C2\r\nThe returned JSON file is similar to the first variant, with the difference that the original JSON configuration is\r\nwrapped up in a data key. Additionally, the new key token is included in each response of GET\r\n/client/get_targets . The token is a fresh token for further communication.\r\nThe new form of returned configuration\r\nThe new configuration supports four attack types: http, http2, nginx_loris, and tcp. The rest of the items are the\r\nsame as SentinelLabs, and we described previously; see C\u0026C Communication and SentinelLabs.\r\nWhen the login and get targets operation are successful, the bot creates approximately 20 working threads that\r\nperform the DDoS attack using a synchronized method since the bot counts the number of successful connections.\r\nTherefore, the bot waits for an attacked server response; if the response is 200 , the attempt is counted as a\r\nsuccessful attack. Subsequently, the newest bot implementation is eight times faster than the initial\r\nimplementation in Python.\r\nContinuous statistics are sent each ~four minutes back to the C2 server through POST /set_attack_count .\r\nSending the attacks’ statistics back to C2\r\nThese statistics help the attacker track the target configuration’s effectiveness and respond in time with a new\r\nconfiguration. If everything goes as expected, a new target configuration is requested every ~10 minutes.\r\nHowever, sometimes the C2 server is unable to handle requests, and a connection cannot be established. In this\r\ncase, the bot continues on the latest target configuration and tries to contact C2 later. Figure 1 provides an\r\noverview of the communication between the C2 server and a bot.\r\nhttps://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/\r\nPage 4 of 9\n\nFigure 1. C2 communication workflow\r\nBot Updater\r\nOne of the unknowns remains the question of the bot updates. Our investigations into this area are still in progress,\r\nand we are trying to confirm our hypothesis that there is an automatic bot updater.\r\nWe’ve observed a few takedowns of C2 servers and new build releases in the last months. We expected a delay of\r\nseveral days between the bot updates and further DDoS attacks. However, the time between the C2 takedown and\r\nthe new DDoS attacks was several hours. Therefore, our hypothesis is that there is an automatic updater since it is\r\nimprobable to manually update approximately 7,200 independent clients within several hours.\r\nThe count of new bot releases was considerable in the last four months, as Figure 2 illustrates. So, there should be\r\nsome automatic updater.\r\nFigure 2. DDosia executable hits\r\nC2 Protection\r\nhttps://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/\r\nPage 5 of 9\n\nAll C2 servers have used HTTP protocol to communicate, which was unencrypted. So, it was only a matter of\r\ntime before the DDosia authors tried to implement a mechanism to protect the target configurations.\r\nTemporary DNS Records\r\nThe first attempt to implement the protection mechanism was around January 28, 2023. The main idea was to use\r\ntemporary DNS records, which are rotated every midnight. The DNS record is then reconfigured to a non-existent\r\nrecord. As a result of the 24-hour period, the initial DNS record is not captured by any online monitoring services,\r\nso the history of DNS records includes only the non-existent or invalid records. Consequently, the valid IP address\r\nof C2 severe is not recorded anywhere, and it would not be easy to find them.\r\nThis mechanism has been seen in the cases on January 28-29, 2023. Two builds with hardcoded DNS records were\r\nset to non-existent IPs after midnight. The next day, the new builds with new DNS records were released.\r\nFor example, deac48f968269bb5e75ceb9417f6680d8787a03ba0768e25d8716f189a079574 build has two DNS\r\nrecords ( pkcds2cas7.ignorelist.com , pqw2vsi21mx74.twilightparadox.com ) that led to 212.73.134.208 .\r\nHowever, the DNS records were reconfigured to 127.0.0.2 from midnight on January 27-28, 2023. So, if you\r\nresolve the DNS records today, you cannot resolve the initial IP since the address is already untraceable.\r\nThe same case was seen from midnight on January 28-29, 2023, on the\r\n5c1be24a5fa75b70c50515a061d2d3ce911b785188328408edc0a79dfc5e3173 build. The other two DNS records\r\n( trafficsearch.ddns.net , trafficanalyzer.bounceme.net ) led to 94.140.115.129 . The DNS records were\r\nalso reconfigured to invalid IP addresses; namely 0.0.0.0 .\r\nImplementing this mechanism was probably not successful because the count of reported targets on the group\r\ntelegram was lower on January 28, as Figure 3 demonstrates. Moreover, there were reported taken-down domains\r\nfrom the previous target configuration. Finally, the build that was released on January 30 contained hard-coded IP\r\naddresses of the C2 server ( 94.140.114.239 ).\r\nRequest Authentication\r\nThe second attempt to implement the protection mechanism was on March 7, 2023. The communication with the\r\nC2 server is also via HTTP, but a token mechanism was designed and realized. Therefore, anybody cannot\r\ndownload the target configuration (list of attacked domains) freely without authentication as before.\r\nhttps://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/\r\nPage 6 of 9\n\nFigure 4. Authentication mechanism\r\nThe first communication with the C2 server is the login request, as described above in Figure 4. First, the request\r\nmust include the header User-Hash , which users obtain during the registration process in the DDosia Project\r\nTelegram channel. The other necessary condition is data about the GeoIP of the bot. If the IP address or ISP of the\r\ngiven bot is on the blocklist (e.g. Avast), the authentication process ends with 401 Unauthorized . However, if the\r\nauthentication is successful, the login request reruns the token in the string form.\r\nThe token is valid for approximately 15 minutes, and the constant 0xF must be added each time the token is used\r\nfor the following requests to the C2 servers. The adjusted token is included in the HTTP header as a Time entry,\r\nand each response then consists of a new fresh token value.\r\nC2 Architecture\r\nThe C2 architecture is dynamically changing. We noticed four IP addresses related to the DDosia project since the\r\nbeginning of 2023. Three addresses are active web servers run on Ubuntu using nginx/1.18.0 . More\r\nimportantly, these web servers return the same target configurations and provide the services like logging into the\r\nbotnet as well as reporting statistics to the attackers. The currently discovered C2 architecture of the DDosia\r\nproject is shown in Figure 5.\r\nFigure 5. C2 architecture\r\nhttps://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/\r\nPage 7 of 9\n\nUsing HTTP, the central C2 server (M) is contacted by proxy C2 servers P1 and P2 throughout port 5001 . The\r\nDDosia bots reach the proxy servers also using HTTP via port 80 , where requests are forwarded to the central\r\nserver. Any suspicious outcome from the primary server has not been detected yet. However, one suspicious server\r\nor client communicates, especially with the primary and P2 servers. We recorded the most network activity of a\r\nsuspicious IP ( 161.35.199.2 ) around February 14, 2023. The purpose of this suspicious machine is still\r\nunknown, but it can be a testing or monitoring service.\r\nBesides the bots’ communication over port 80 , we detected connections on port 22 for both proxy servers. The\r\ntransmission on port 22 is not implemented in the bot executables we analyze, but our telemetry indicates a\r\nhigher communication volume. However, most captured IPs contacting port 22 are suspicious due to port scans\r\nor SSH brute force attacks.\r\nIn addition, the C2 infrastructure relies heavily on proxy servers which contributes to the resilience of DDosia’s\r\ninfrastructure. Nevertheless, our monitoring revealed that outages indicated by 502 Bad Gateway error responses\r\nfrom the proxy servers. The first significant disruption occurred during the deployment of the authentication\r\nmechanism. The outage lasted for several hours – the duration and the timing indicates that development issues\r\nmay have been responsible. The root of the problem seems to be partially fixed as recent outages were resolved\r\nwithin one hour.\r\nDDosia Tracking\r\nWe still continue to monitor the DDosia project targets and the count of users that have joined the project. We will\r\npublish detailed information about the targets, configurations, and volunteers in a subsequent post. Figure 6\r\nillustrates a quick overview.\r\nFigure 6. Attacked countries and trend of the joined users\r\nhttps://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/\r\nPage 8 of 9\n\nWe’ve also observed that DDosia’s community is steadily growing, though there can be doubts about the capacity\r\nnew members can contribute. Nevertheless, it seems that in this specific case, a volunteer-based model is rather\r\nefficient and easier to manage than a malware-based botnet; however, its availability is probably enabled by the\r\npolitical circumstances.\r\nConclusion\r\nIt is evident that the project is still in development, and NoName057(16) is trying to improve the efficiency of the\r\nDDoS attacks. They are trying to move to a more efficient Go platform because the pilot variant written in Python\r\nwas lacking in performance.\r\nMany of the changes seem to be motivated by protecting the target configuration and C2 architecture secrecy.\r\nHence, the latest version of DDosia bots has realized the authentication mechanism for C2 communication.\r\nOur most interesting observation was probably the implementation of an update mechanism in the client since\r\nprevious updates caused only short-term disruptions to the project’s effectiveness. This has also increased the\r\nresilience of the C2 mechanism, as it is no longer necessary to do a manual update after a server takedown. The\r\nupdate mechanism is still under our investigation. In a future blog post, we plan to release a more detailed analysis\r\nof the tracker’s historical data.\r\nMartin a Milánek\r\nAuthor at Avast Threat Labs\r\nSource: https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/\r\nhttps://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/"
	],
	"report_names": [
		"ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks"
	],
	"threat_actors": [
		{
			"id": "b05a0147-3a98-44d3-9b42-90d43f626a8b",
			"created_at": "2023-01-06T13:46:39.467088Z",
			"updated_at": "2026-04-10T02:00:03.33882Z",
			"deleted_at": null,
			"main_name": "NoName057(16)",
			"aliases": [
				"NoName057",
				"NoName05716",
				"05716nnm",
				"Nnm05716"
			],
			"source_name": "MISPGALAXY:NoName057(16)",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434884,
	"ts_updated_at": 1775792064,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de9bd6d23e60d6a8e6ad55ce5eccd11dc80e56a7.pdf",
		"text": "https://archive.orkl.eu/de9bd6d23e60d6a8e6ad55ce5eccd11dc80e56a7.txt",
		"img": "https://archive.orkl.eu/de9bd6d23e60d6a8e6ad55ce5eccd11dc80e56a7.jpg"
	}
}