NoName057(16)’s Hackers Attacked 3,700 Unique Devices Over Last Thirteen Months

The pro-Russian hacktivist group NoName057(16) has orchestrated a massive distributed denial-of-service campaign targeting over 3,700 unique hosts across thirteen months, according to new research published on July 22, 2025.

The group, which emerged in March 2022 shortly after Russia’s full-scale invasion of Ukraine, has maintained an unprecedented operational tempo by launching attacks against an average of 50 unique hosts daily, with activity peaking at 91 targets in a single day.

The hacktivists primarily focused their assault on government and public-sector entities in European nations opposing Russia’s invasion of Ukraine, with Ukrainian organizations comprising the largest share of targets at 29.47%, followed by France (6.09%), Italy (5.39%), and Sweden (5.29%).

The campaign demonstrates clear strategic alignment with Russian geopolitical interests, functioning as an unofficial cyber warfare asset that frames attacks as direct retaliation for actions taken by Russia’s adversaries.

Recorded Future analysts identified the group’s primary weapon as a custom DDoS tool named “DDoSia,” the successor to an earlier botnet called Bobik.

The tool facilitates application-layer DDoS attacks by overwhelming target websites with high volumes of junk requests, operating through a volunteer-driven model that recruits participants via Telegram channels and rewards contributors with cryptocurrency.

Technical Infrastructure and Communication Protocol

The DDoSia malware employs a sophisticated two-step communication process with client registration begins with an HTTP POST request to the /client/login endpoint, where the malware validates authenticity using encrypted payloads secured with AES-GCM encryption.

The encryption key is dynamically generated using a combination of the User Hash and Client ID, creating a robust authentication mechanism.

The malware’s multi-tiered infrastructure consists of rapidly rotating Tier 1 command-and-control servers with an average lifespan of nine days, exclusively permitted to establish connections to Tier 2 servers protected by access control lists.

This architecture ensures operational resilience while maintaining reliable C2 functionality even under law enforcement pressure, as demonstrated during Operation Eastwood between July 14-17, 2025, which resulted in arrests and searches across six European countries.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now