{
	"id": "14949e92-9c7a-4ca8-b970-256cfb0a1484",
	"created_at": "2026-04-06T00:19:08.30525Z",
	"updated_at": "2026-04-10T03:34:24.407802Z",
	"deleted_at": null,
	"sha1_hash": "f6c59a2f44d34452fd83d6dc2f0e623e96933449",
	"title": "A Blog with NoName",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 808932,
	"plain_text": "A Blog with NoName\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-05 13:48:48 UTC\r\nUPDATE: Since publishing this blog piece, we have worked in cooperation with Stark Industries\r\nSolutions to assist in the reduction of malicious utilization of their network. Whilst the findings in\r\nthis blog stand true at the time of initial publication, we have noted a marked decrease in the\r\nabuse of Stark Industries-assigned IP space in our follow-up investigations into NoName057(16).\r\nFurther Insight into the Hacktivist Operation Targeting NATO and Affiliated\r\nNations\r\nKey Findings\r\nNoName057(16) is a pro-Russian hacktivist operator / group, which has claimed responsibility for repeated\r\nDistributed Denial of Service (DDoS) attacks against entities in perceived anti-Russian countries since\r\nMarch 2022.\r\nNoName057(16) back-end infrastructure is hosted in Russia and likely operated by individual(s) with\r\nexperience in systems design / maintenance.\r\nDDoS attack targeting instructions include timestamps that align with Moscow Standard Time.\r\nRecent targets have included entities with infrastructure hosted in Czechia, Denmark, Estonia, Germany,\r\nSlovakia, and Slovenia.\r\nThe majority of DDoS attack infrastructure used in NoName057(16) campaigns is assigned to two\r\ninterlinked hosting providers; MIRhosting and Stark Industries.\r\nA limited number of netblocks are used in the DDoS attacks, providing a potential mitigation / defense\r\nopportunity\r\nIntroduction\r\nNoName057(16) attacks have targeted government / military departments in Ukraine and NATO countries, as well\r\nas organizations from core sectors such as finance, freight, and media.\r\nRecent reporting (Avast, SentinelLabs) has revealed that NoName057(16) relies upon a “volunteer” system (rather\r\nthan a botnet of infected hosts), in which the “volunteers” are rewarded financially for contributing attack\r\ninfrastructure. This system is managed via two Telegram channels (@noname05716 and @nn05716chat).\r\nIn this blog post we will examine two elements of NoName057(16)’s infrastructure; the management\r\ninfrastructure sitting behind the known C2 servers, and the attack infrastructure which is purportedly donated by\r\ntheir “volunteers”. In doing so we will seek to understand how the operation functions, and provide information\r\nfor cyber defenders to protect their interests from future attacks.\r\nhttps://www.team-cymru.com/post/a-blog-with-noname\r\nPage 1 of 11\n\nInfrastructure\r\nThe starting point for this analysis is the current C2 server used to coordinate NoName057(16)’s campaigns; as\r\npreviously reported by SentinelLabs - 31.13.195.87 (NETERRA, BG). According to our records this server\r\nbecame operational on 19 December 2022.\r\nTwo Dynamic DNS (DDNS) domains, registered with No-IP, currently resolve to 31.13.195.87:\r\ntom56gaz6poh13f28[.]myftp.org\r\nzig35m48zur14nel40[.]myftp.org\r\nThe DDoS tool (DDOSIA) receives targeting information from the /client/get_targets URL path on either of these\r\ndomains (over HTTP on TCP/80).\r\nExamining network telemetry for 31.13.195.87, we observe a high volume of outbound connections to TCP/5001\r\nof 87.121.52.9 (NETERRA, BG).\r\nThe use of TCP/5001 is notable as this port was used for communications with the previous C2 server\r\n(77.91.122.69), which was active until 16 December 2022.\r\nWhen '87.121.52.9:5001/client/get_targets' was accessed, we noted that the same targeting information was\r\nreturned, as observed on the C2 domains. It is therefore plausible that the published C2 servers are mirrors of\r\n87.121.52.9.\r\nFigure 1: Targeting Information\r\nPivoting to examine network telemetry for 87.121.52.9, we observe a number of interesting communications.\r\nTelegram\r\nRegular connections are made to api.telegram[.]org, potentially indicative of Telegram bot interactions. It is\r\npossible that these connections relate to updates made to the Telegram channels associated with NoName057(16)’s\r\nDDoS campaigns.\r\nhttps://www.team-cymru.com/post/a-blog-with-noname\r\nPage 2 of 11\n\nCLOUDASSETS, RU\r\nA high volume of traffic is observed to two IP addresses assigned to CLOUDASSETS, RU (AS212441).\r\n109.107.184.11\r\nConnections are made to TCP/27017 of 109.107.184.11, this port is commonly associated with MongoDB. It is\r\nlikely that data transferred from the attack infrastructure is stored in a database hosted on this IP address.\r\n185.173.37.220\r\nConnections are made to TCP/5672 and TCP/6379 of 185.173.37.220, these ports are commonly associated with\r\nRabbitMQ and Redis respectively. This host is therefore likely used to store events / commands from the\r\noperator(s) of this infrastructure.\r\nIt is plausible that further operator hosts sit beyond this IP address, to either update or read messages from the\r\nRabbitMQ bus, however due to the geolocation of 185.173.37.220 further upstream insights are not available.\r\nIn addition to the outbound connections, inbound traffic to local ports TCP/5051 and TCP/9100 was observed,\r\nsourced from 91.142.79.201 (also CLOUDASSETS, RU). Pivoting on 91.142.79.201, additional traffic was also\r\nobserved sourced from this IP to TCP/9100 of 31.13.195.87 (the original C2 server).\r\nTCP/9100 is commonly associated with Prometheus Node Exporter, a platform used for collecting metrics / alerts\r\nfrom remote servers. Indeed, open ports information for 31.13.195.87:9100 shows an instance of Node Exporter\r\nrunning as of the time of writing.\r\nFigure 2: Open Ports Data for 31.13.195.87 - Censys\r\nhttps://www.team-cymru.com/post/a-blog-with-noname\r\nPage 3 of 11\n\n91.142.79.201 is therefore likely used for monitoring the operator’s infrastructure and collecting metrics on usage;\r\npossibly providing updates on campaign effectiveness and the number of active ‘bots’.\r\nIn a few instances, we also observed 91.142.79.201 making connections to TCP/9100 of IP addresses used in the\r\nattack infrastructure of NoName057(16)’s operation.\r\nWhen reviewing the infrastructure in its totality, it is clear that the operator(s) behind NoName057(16) is familiar\r\nwith systems design / maintenance; potentially pointing towards a threat actor(s) with legitimate work experience\r\nin this area.\r\nFigure 3: An Overview of NoName057(16) Infrastructure\r\nTargeting\r\nPrevious reporting on NoName057(16) has highlighted DDoS attacks against an array of targets across business\r\nsectors and nations, including government / military departments.\r\nAt the time of writing this report, we took a look at the ‘current’ targets of the operation; one which stood out was\r\nthe Estonian Ministry of Finance, with a particular subdomain being targeted.\r\nhttps://www.team-cymru.com/post/a-blog-with-noname\r\nPage 4 of 11\n\nFigure 4: Targeting Details for the Estonian Ministry of Finance\r\nFrom this entry on the C2 target list, we can see that a domain hosted on xx.xx.xx.246 is the target of the attack,\r\nwhich was set to commence at 10:00 on 25 January 2023.\r\nWe initially assumed this meant 10:00 UTC, however, when looking into our threat telemetry for xx.xx.xx.246 the\r\nattack appears to have commenced at 07:00 UTC; so the start time in the C2 target list in fact refers to UTC+3,\r\nwhich happens to coincide with Moscow Standard Time.\r\nAs of 17:00 UTC on 25 January 2023 the target subdomain was displaying a ‘down for maintenance’ message,\r\nlikely indicating that the attack had achieved a degree of success.\r\nhttps://www.team-cymru.com/post/a-blog-with-noname\r\nPage 5 of 11\n\nFigure 5: Maintenance Message\r\nReturning to the aforementioned threat telemetry data for this target, the DDoS attack is evident in the data; which\r\nwe have mapped below looking at the last seven days of traffic to/from xx.xx.xx.246 (19 - 25 January 2023).\r\nFigure 6: DDoS Attack Data - Target One\r\nhttps://www.team-cymru.com/post/a-blog-with-noname\r\nPage 6 of 11\n\nAs of 17:00 UTC on 25 January, we can see that the attack began at 07:00 UTC (as mentioned previously), with a\r\npeak in activity between 08:00 UTC - 09:00 UTC, and a large volume of traffic has been received since that time;\r\nsignificantly outside the usual expected norms for this IP address.\r\nLooking at a previous Estonian target from the same seven-day time period, we see that the attack lasted for 24\r\nhours, commencing and ending at 07:00 UTC. As previously, activity peaked in the first few hours of the attack;\r\nthis period is likely when the DDoS is most effective, before mitigating actions can be undertaken.\r\nFigure 7: DDoS Attack Data - Target Two\r\nOverall, since the beginning of 2023, we have been able to confirm attacks against entities with infrastructure\r\nhosted in Czechia, Denmark, Estonia, Germany, Slovakia, and Slovenia.\r\nAttack Infrastructure\r\nWhen examining the data for the DDoS attacks against the two Estonian targets, we found that 99.8% of the traffic\r\ninbound to the second (earlier) target was sourced from IP addresses which had later been used in the attack on the\r\nfirst target.\r\nWhilst IPs assigned to 21 distinct ASNs were observed in this ‘common’ dataset, 98.6% of the traffic originated\r\nfrom IPs assigned to STARK-INDUSTRIES, GB. Looking further into the data, IPs residing in two /24 netblocks\r\nhttps://www.team-cymru.com/post/a-blog-with-noname\r\nPage 7 of 11\n\nwere responsible for over 65% of this traffic:\r\n5.182.39.0/24 (38 IPs)\r\n94.131.106.0/24 (21 IPs)\r\nPivoting back to the C2 server (31.13.195.87), by examining all inbound connections to TCP/80 since 19\r\nDecember 2022, when it became operational, we are able to extract a more complete picture of the attack\r\ninfrastructure.\r\nThis process is caveated by the fact that other ‘non attack infrastructure’ connections are likely to have been made\r\nto 31.13.195.87:80, particularly since the publication of this IP as a C2 server for NoName057(16) activities.\r\nHowever, the idea here is to identify likely attack infrastructure based on the regularity and volume of traffic, and\r\nany emerging patterns, for example sequential IPs within the same netblock as seen in the two attacks above.\r\nIn total we observed IPs assigned to 83 distinct ASNs communicating with 31.13.195.87:80. However, once again\r\ninfrastructure associated with the previously referenced hosting provider(s) dominated, with 84% of all\r\ncommunications originating from IPs assigned to either MIRhosting or Stark Industries.\r\nFigure 8: Top-10 Observed ASNs\r\nLooking a little further into this data, IPs residing in a limited number of netbooks generated the majority of the\r\ntraffic; the top 10 netblocks accounting for 68% of the total.\r\nhttps://www.team-cymru.com/post/a-blog-with-noname\r\nPage 8 of 11\n\nFigure 9: Top-10 Observed Netblocks\r\n5.182.39.0/24, as observed in the data for the Estonian attacks, is the clear number one, the other netblock from\r\nthat data (94.131.106.0/24) was just outside the top-ten at number thirteen.\r\nWhat was notable was the fact that many of the IPs had been in communication with 31.13.195.87 since 19\r\nDecember 2022, continuing up to the time of writing; indicating a broadly static attack infrastructure.\r\nConclusion\r\nIn this post we have examined the infrastructure used to manage the DDoS attacks attributed to NoName057(16);\r\ndemonstrating a well-thought out structure which includes capacity for monitoring, tasking, and remote storage of\r\ndata.\r\nAs a pro-Russian hacktivist operation, it is no surprise that there are several pointers to a Russian nexus; the use of\r\nRussian hosting providers for the management infrastructure, and the use of Moscow Standard Time for targeting\r\ninstructions.\r\nFrom our observations, whilst heavily focused on a small number of specific targets, NoName057(16) has had\r\nsome successes in temporarily disrupting web services, with evidence of their targets being offline or ‘under\r\nmaintenance’. The broader impacts of these attacks will likely remain limited providing there is no major\r\nescalation of activities / or growth in available attack infrastructure.\r\nThat brings us to the most significant finding in this blog; the static and limited nature of the attack infrastructure\r\nwhich has been utilized by NoName057(16) to date. For an operation which is labeled as “volunteer” driven; the\r\nhttps://www.team-cymru.com/post/a-blog-with-noname\r\nPage 9 of 11\n\nfact that so much of the infrastructure is sourced from one provider raises questions.\r\nIs a sizeable chunk donated by one generous “volunteer”?\r\nHow many “volunteers” actively contribute to the operation?\r\nAre NoName057(16) propping up their operation with infrastructure they have procured themselves?\r\nWe have observed a diverse range of IPs being utilized in attacks, but the volume of traffic related to the majority\r\nof these IPs is minimal; if you were to deduct the traffic sourced from IPs assigned to Stark Industries there is a\r\nquestion as to what impact the attacks would have.\r\nWith all this being said, we will continue to monitor NoName057(16)’s activities, providing updates via our\r\nTwitter and Mastodon pages.\r\nRecommendations\r\nFor users of Pure Signal Recon, you can follow this activity by querying for the IPs detailed in Figure 3;\r\n31.13.195.87\r\n87.121.52.9\r\n109.107.184.11\r\n185.173.37.220\r\n91.142.79.201\r\nIf you are an ISP or Network Operator with DDoS challenges, sign up for our no-cost DDoS mitigation\r\nservice UTRS\r\nIOCs\r\nKey Attack Infrastructure (as of 26 January 2023)\r\n5.182.39.0/24\r\n94.131.109.0/24\r\n94.131.102.0/24\r\n5.182.37.0/24\r\n185.248.144.0/24\r\n45.159.251.0/24\r\n45.67.34.0/24\r\n94.131.110.0/24\r\n5.182.38.0/24\r\n45.142.214.0/24\r\nhttps://www.team-cymru.com/post/a-blog-with-noname\r\nPage 10 of 11\n\n94.131.99.0/24\r\n5.182.36.0/24\r\n94.131.106.0/24\r\n80.92.204.0/24\r\n45.8.147.0/24\r\nSource: https://www.team-cymru.com/post/a-blog-with-noname\r\nhttps://www.team-cymru.com/post/a-blog-with-noname\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.team-cymru.com/post/a-blog-with-noname"
	],
	"report_names": [
		"a-blog-with-noname"
	],
	"threat_actors": [
		{
			"id": "b05a0147-3a98-44d3-9b42-90d43f626a8b",
			"created_at": "2023-01-06T13:46:39.467088Z",
			"updated_at": "2026-04-10T02:00:03.33882Z",
			"deleted_at": null,
			"main_name": "NoName057(16)",
			"aliases": [
				"NoName057",
				"NoName05716",
				"05716nnm",
				"Nnm05716"
			],
			"source_name": "MISPGALAXY:NoName057(16)",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434748,
	"ts_updated_at": 1775792064,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f6c59a2f44d34452fd83d6dc2f0e623e96933449.pdf",
		"text": "https://archive.orkl.eu/f6c59a2f44d34452fd83d6dc2f0e623e96933449.txt",
		"img": "https://archive.orkl.eu/f6c59a2f44d34452fd83d6dc2f0e623e96933449.jpg"
	}
}