Czechia Under Coordinated DDoS Assault: Weekly DDoS Threat Intelligence Analysis
Analysis Period: January 19–25, 2026
Between 19 and 25 January 2026, SOCRadar identified an intensive coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) and their DDoSia attack tool. The campaign resulted in 5,095 recorded attack entries, targeting 141 unique domains and 131 unique IP addresses with an overwhelming concentration on Czech infrastructure.
The activity focused almost exclusively on the Czechia, accounting for 74.6% of all attacks, with significant secondary targeting of Ukraine (11.5%), reflecting the group’s continued strategic focus on both NATO member states and Ukraine’s digital infrastructure. The majority of attacks targeted government infrastructure at federal and national levels (53.0% of top 10 targets), complemented by critical transportation infrastructure (19.7%) and significant targeting of private sector organizations (19.1%) including media, entertainment, and business services.
Executive Summary Table:
| Metric | Value |
| Analysis Period | January 19–25, 2026 |
| Total Attack Entries | 5,095 |
| Unique Domains Targeted | 141 |
| Unique IP Addresses | 131 |
| Primary Countries | Czechia (74.6%), Ukraine (11.5%), International (.org) (5.0%), International (.com) (4.8%), Aviation (.aero) (2.1%), EU (1.9%) |
| Most Targeted Port | 443 (HTTPS) – 67.5% of attacks |
| Threat Actor | NoName057(16) |
| Attack Tool/Project | DDoSia |
For comprehensive, real-time DDoS threat intelligence covering ongoing campaigns across Europe, explore SOCRadar’s free DDoS intelligence dashboard where we continuously analyze and showcase actionable threat data.
Campaign Analysis
Attack Volume and Scope
During the seven-day analysis period, the campaign demonstrated unprecedented scale and operational intensity, with daily target list updates distributed through Telegram channels. The campaign’s primary geographic focus on Czechia represents an escalation in NoName057(16)’s strategy of applying sustained pressure on NATO’s eastern flank members and key supporters of Ukraine.
Geographic Distribution:
- Czechia accounted for 74.6% of all attack entries (3,803 attacks)
- Ukraine received 11.5% of attacks (587 attacks)
- International (.org) domains comprised 5.0%(257 attacks)
- International (.com) domains received 4.8%(246 attacks)
- Aviation International (.aero) received 2.1%(106 attacks)
- European Union institutions received 1.9%(96 attacks)
Top target countries
This distribution reflects a highly concentrated targeting strategy aimed primarily at Czechia—a NATO member state that has been one of Ukraine’s strongest supporters both militarily and diplomatically. The concentration on Czech infrastructure (74.6%) exceeds even the recent Poland-focused campaign (67.1%), indicating strategic prioritization of this specific NATO member.
Geographic Distribution by Country:
- Czechia: 3,803 attacks (74.6%)
- Ukraine: 587 attacks (11.5%)
- International (.org): 257 attacks (5.0%)
- International (.com): 246 attacks (4.8%)
- Aviation International (.aero): 106 attacks (2.1%)
- European Union: 96 attacks (1.9%)
The sustained nature of attacks over seven consecutive days (January 19-25) with seventeen distinct target list updates indicates highly coordinated operational planning and substantial infrastructure resources. The timing coincides with Czechia’s continued provision of military aid to Ukraine and discussions of enhanced NATO presence in Central Europe, suggesting strategic coordination with geopolitical developments.
Targeted Sectors
The campaign demonstrated a comprehensive multi-sector targeting strategy affecting government, critical infrastructure, private sector, and other institutions simultaneously:
Key targeted sectors included:
- Government Services – Federal/National (53.0%) – National agencies, law enforcement, economic development agencies, civil service administration, public procurement
- Critical Infrastructure – Transportation (19.7%) – Aviation, railway infrastructure, public transportation
- Private Sector – Other (19.1%) – Media, entertainment, business services
- Government Services – Provincial/Regional (8.2%) – Regional administrations, county governments
Top target industries and attack counts
The overwhelming focus on federal government services (53.0% of top 10 targets) represents a strategic shift toward political disruption objectives, aiming to undermine government authority, disrupt citizen services, and create perception of institutional vulnerability. This targeting pattern differs from previous campaigns that showed more balanced distribution across sectors.
The targeting of government infrastructure (61.2% combined federal and regional) includes:
- Federal Government (53.0%): Strategic targets including the Czech National Police (policie.cz), State Service Administration (sshr.gov.cz), National Electronic Tool for procurement (nen.nipez.cz), and CzechInvest economic development agency
- Regional Government (8.2%): Regional administrations like South Bohemian Region (kraj-jihocesky.cz) providing essential citizen services
The significant critical infrastructure targeting includes:
- Aviation Infrastructure: Václav Havel Airport Prague (prg.aero) – the country’s primary international aviation hub
- Railway Systems: Railway Infrastructure Administration procurement portal (zakazky.spravazeleznic.cz) – critical for transportation network development
- Economic Development: CzechInvest platforms (notes.czechinvest.org, prumyslovezony.czechinvest.org) – agencies promoting foreign investment and industrial development
Attack Techniques and Methods
NoName057(16) employed a sophisticated multi-vector attack strategy, combining transport-layer and application-layer attacks to increase complexity and bypass single-layer defensive measures.
Most common methods observed:
- HTTP GET Flood attacks (23.7% – 1,206 attacks)
- TCP SYN Flood attacks (23.6% – 1,204 attacks)
- TCP ACK Flood attacks (13.1% – 666 attacks)
- TCP SYN-ACK Flood (10.9% – 556 attacks)
- HTTP POST-based attacks (10.6% – 540 attacks)
- HTTP CONNECT-based attacks (9.9% – 504 attacks)
- HTTP HEAD-based attacks (7.7% – 391 attacks)
- Other methods (0.5% – 28 attacks)
Attack methods distribution
The near-equal distribution between HTTP GET floods (23.7%) and TCP SYN floods (23.6%) demonstrates a balanced dual-layer approach, combining application-layer resource exhaustion with transport-layer volumetric attacks. This strategic balance makes defensive efforts significantly more complex, requiring both network-layer and application-layer protections.
Combined with ACK and SYN-ACK floods, transport-layer attacks represented 47.6% of all methods, while application-layer HTTP attacks comprised 51.9%, indicating sophisticated understanding of how to maximize attack effectiveness against modern web infrastructure.
The overwhelming concentration on port 443 (HTTPS) (67.5% of all attacks – 3,440 attacks) indicates deliberate targeting of encrypted web services, including:
- Government citizen portals and authentication systems
- Law enforcement and public safety platforms
- Economic development and investment portals
- Critical infrastructure management systems
- Business services and commercial platforms
Additional targeting of port 80 (HTTP) (32.5% – 1,655 attacks) suggests attacks against both modern HTTPS services and legacy HTTP infrastructure still in operation.
Attack Types Distribution:
- TCP-layer attacks: 2,907 attacks (57.1%)
- HTTP/1.1 attacks: 1,163 attacks (22.8%)
- HTTP/2 attacks: 526 attacks (10.3%)
- Application-layer attacks (nginx_loris): 457 attacks (9.0%)
- HTTP/3 attacks: 36 attacks (0.7%)
- UDP attacks: 6 attacks (0.1%)
Attack types distribution
This distribution demonstrates a heavily layered attack methodology, with dominant volumetric network-layer floods (TCP: 57.1%) combined with sophisticated application-layer attacks (HTTP/1.1: 22.8%, HTTP/2: 10.3%, nginx_loris: 9.0%) designed to bypass rate-limiting defenses and exhaust server resources efficiently.
The significant nginx_loris component (9.0%) demonstrates the DDoSia botnet’s capability to execute specialized attacks exploiting specific server software vulnerabilities. Nginx_loris attacks are designed to keep connections open with minimal data transmission, slowly exhausting server connection pools—particularly effective against inadequately configured web servers.
The presence of HTTP/3 attacks (0.7%), while minor in volume, indicates the threat actor’s capability to exploit cutting-edge protocols, demonstrating technical sophistication and ability to adapt attack vectors to emerging technologies.
Most Targeted Organizations
The campaign targeted a strategically selected mix of government services, critical infrastructure, economic development agencies, and media platforms across Czechia and Ukraine. The selection demonstrates intelligence gathering and tactical planning rather than opportunistic targeting.
Top targeted hosts
Czechia
Top 10 Most Targeted Czech Hosts:
- www.policie.cz (100 attacks) – Czech National Police, primary law enforcement agency (Government – Federal)
- Strategic Reason: Disrupting police communications, public safety information access, and undermining law enforcement authority
- notes.czechinvest.org (85 attacks) – CzechInvest Investment and Business Development Agency (Government – Federal)
- Strategic Reason: Undermining economic development operations and foreign investment confidence
- www.prg.aero (80 attacks) – Václav Havel Airport Prague, primary international airport (Critical Infrastructure – Transportation)
- Strategic Reason: Disrupting critical transportation hub, air travel operations, and creating economic/logistical chaos
- www.vinegret.cz (76 attacks) – Vinegret.cz, independent news and media portal (Private Sector – Media)
- Strategic Reason: Silencing independent journalism and controlling information dissemination
- prumyslovezony.czechinvest.org (75 attacks) – CzechInvest Industrial Zones Portal (Government – Federal)
- Strategic Reason: Disrupting industrial development and investment information infrastructure
- sshr.gov.cz (68 attacks) – State Service Administration, civil service management (Government – Federal)
- Strategic Reason: Undermining government administration and civil service operations
- zakazky.spravazeleznic.cz (64 attacks) – Railway Infrastructure Administration, public procurement portal (Critical Infrastructure – Transportation)
- Strategic Reason: Disrupting railway infrastructure procurement and development projects
- www.susuh.cz (64 attacks) – Susuh.cz, entertainment and media platform (Private Sector – Media/Entertainment)
- Strategic Reason: Disrupting cultural content and entertainment services
- www.kraj-jihocesky.cz (60 attacks) – South Bohemian Region, regional government website (Government – Regional)
- Strategic Reason: Undermining regional government services and citizen access to local administration
- nen.nipez.cz (60 attacks) – National Electronic Tool (NEN), public procurement system (Government – Federal)
- Strategic Reason: Disrupting government procurement transparency and contract award mechanisms
Additional High-Profile Czech Targets:
- www.vysocina.cz (55 attacks) – Vysočina Region administration
- www.kr-stredocesky.cz (50 attacks) – Central Bohemian Region
- www.krnov.cz (48 attacks) – City of Krnov municipal portal
- www.most.cz (45 attacks) – City of Most municipal services
- www.czso.cz (44 attacks) – Czech Statistical Office
- Multiple additional city portals, regional administrations, and business services across Czechia
Ukraine
Top Targeted Ukrainian Hosts:
While Czechia dominated the targeting (74.6%), Ukraine received sustained attacks (11.5%) focused on:
- Government services and administrative portals
- Critical national infrastructure
- Economic and financial systems
- Transportation and logistics networks
The dual-targeting of both Czechia and Ukraine demonstrates NoName057(16)’s strategic objective of applying pressure simultaneously on NATO’s strong Ukrainian supporters and Ukraine itself.
Threat Actor Overview: NoName057(16)
NoName057(16) is a pro-Russian hacktivist collective that emerged in March 2022 following Russia’s full-scale invasion of Ukraine. The group has established itself as one of the most persistent and organized hacktivist actors conducting sustained DDoS campaigns against NATO member states, European Union countries, and nations supporting Ukraine.
Threat actor card of NoName057(16)
The group operates through a crowdsourced, volunteer-driven model using the custom DDoSia botnet framework distributed via Telegram channels. This operational model provides several advantages: distributed attack infrastructure difficult to attribute and disrupt, plausible deniability for state involvement, and ability to mobilize thousands of volunteer participants incentivized through gamification, cryptocurrency rewards, and ideological motivation.
DDoSia Framework
The technical infrastructure supporting NoName057(16) operations centers on the DDoSia attack tool, which:
- Provides a user-friendly interface for non-technical participants
- Receives centralized target lists updated multiple times daily
- Implements multiple attack vectors (TCP floods, HTTP floods, application-layer attacks)
- Includes evasion techniques to bypass basic DDoS protections
- Reports attack metrics back to central infrastructure for performance tracking
- Coordinates distributed attacks across thousands of volunteer participants
Geopolitical Alignment
NoName057(16) operations consistently align with Russian geopolitical objectives, with targeting prioritizing:
- NATO member states, particularly Czechia, Poland, Baltic states, and strong Ukraine supporters
- European Union institutions and member states
- Countries providing military, financial, or political support to Ukraine
- Ukrainian government services and critical infrastructure
- Private sector entities in targeted countries to create economic pressure
The group has demonstrated exceptional operational persistence with:
- Regular target list updates multiple times per day (17 updates during this analysis period)
- Sustained campaigns over weeks and months
- Strategic coordination timed to geopolitical events and diplomatic developments
- Rapid adaptation to defensive measures
- Continuous recruitment of new participants through Telegram channels
Recent Activity Patterns
The Czechia-focused campaign represents a strategic continuation of NoName057(16)’s pattern of rotating geographic focus to maximize pressure on multiple NATO members. Recent campaigns have shown:
- December 15-21: Denmark focus (67.9% of attacks)
- December 22-28: Multi-country (Finland, France, International)
- December 29 – January 4: Germany focus (87.98% of attacks)
- January 5-11: United Kingdom focus (85.2% of attacks – 1,812 attacks)
- January 12-18: Poland focus (67.1% of attacks – 4,087 attacks)
- January 19-25: Czechia focus (74.6% of attacks – 5,095 attacks)
This pattern suggests rotating geographic focus with escalating intensity, preventing defensive adaptation through predictable patterns while demonstrating capability to sustain high-volume attacks across multiple target nations.
Key Characteristics
- Operational Model: Volunteer-driven crowdsourced attacks via DDoSia botnet tool
- Coordination: Telegram channels for target distribution and participant recruitment
- Motivation: Pro-Russian hacktivist aligned with state geopolitical objectives
- Technical Capability: Multi-vector attacks combining volumetric (TCP/UDP floods) and application-layer techniques (HTTP floods, nginx_loris, HTTP/2, HTTP/3)
- Target Selection: Intelligence-driven, strategically prioritized targeting
- Persistence: Continuous operations with sustained pressure over extended periods
- Scale: 5,095 attacks in one week against 141 unique targets
- Sophistication: Medium-to-high technical capability with evolving tactics
- Attribution: Plausibly deniable connection to Russian state interests
Mitigation and Recommendations
Organizations within affected sectors, particularly those in Czechia, Ukraine, and other NATO member states, should consider implementing or strengthening the defensive measures:
Immediate Actions
- Deploy cloud-based DDoS protection services – Implement Cloudflare, Akamai, AWS Shield, Azure DDoS Protection, or equivalent services to filter attack traffic before it reaches your infrastructure
- Review and update Web Application Firewall (WAF) rules – Ensure WAF configurations can detect and block HTTP/HTTP2/HTTP3 flood patterns, particularly GET, POST, CONNECT, and HEAD-based attacks and nginx_loris variants
- Configure rate limiting – Implement rate limiting at multiple layers: web application, reverse proxy (nginx, Apache), load balancer, and network firewall
- Enable SYN cookies and TCP hardening – Configure operating systems and network devices to use SYN cookies, reduce TCP timeout values, increase SYN backlog queues, and limit connection table sizes
- Establish traffic baseline monitoring – Implement real-time traffic monitoring with automated alerting for anomalies in request rates, connection counts, and bandwidth utilization
- Verify geographic redundancy – Ensure critical services have geographic distribution and failover capabilities to maintain availability during regional attacks
- Review DNS configuration – Implement DNS-based DDoS protection (e.g., Cloudflare DNS protection) and ensure proper DNS caching configurations
Strategic Measures
- Conduct comprehensive DDoS risk assessments – Identify all internet-facing services, assess current protections, and document vulnerabilities requiring remediation
- Develop and test incident response plans – Create detailed response procedures for DDoS attacks, conduct tabletop exercises, and ensure 24/7 contact procedures are established
- Allocate appropriate security budget – Budget for DDoS protection services, infrastructure redundancy, security personnel, and incident response capabilities
- Implement defense-in-depth architecture – Design infrastructure with multiple defensive layers: network edge filtering, CDN protection, WAF rules, application hardening
- Engage with national CERT/CSIRT – Participate in information sharing programs with CERT.cz (for Czech organizations), CERT-UA (for Ukrainian organizations), and sector-specific ISACs
- Monitor threat intelligence feeds – Subscribe to threat intelligence services tracking NoName057(16) and DDoSia activity to receive early warning of targeting
- Consider managed security services – For smaller organizations lacking in-house expertise, consider managed DDoS protection and SOC services
- Train staff on incident recognition and response – Conduct regular training on recognizing DDoS attacks, following response procedures, and communicating during incidents
Conclusion
The NoName057(16) campaign observed between 19 and 25 January 2026 demonstrates an escalating, persistent, and technically sophisticated DDoS operation focused primarily on Czech infrastructure while maintaining pressure on Ukraine and other targets. With 5,095 attack entries distributed across 141 unique domains and 131 unique IP addresses, this campaign represents the most intensive operation in the recent series of rotating European campaigns.
Key Takeaways
- Czechia faces unprecedented DDoS campaign intensity from state-aligned threat actors, with 3,803 attacks (74.6%) representing the highest concentration and volume of recent NoName057(16) operations
- Government services overwhelmingly targeted, with federal agencies, law enforcement, economic development, and public procurement systems bearing the brunt of attacks (53% of top 10 targets)
- Multi-vector attacks require sophisticated defenses, combining network-layer (TCP: 57.1%) and application-layer (HTTP: 33.1%, nginx_loris: 9.0%) techniques to bypass single-layer protections
- Strategic targeting demonstrates intelligence gathering, with police portals, investment agencies, airport infrastructure, and independent media selected for maximum political, economic, and social impact
- NATO member states face rotating but intensifying campaigns, with sequential focus on Denmark, Germany, UK, Poland, and now Czechia demonstrating coordinated strategy to pressure alliance members
- DDoSia’s volunteer model enables sustained operations at scale, with 17 target list updates in one week demonstrating operational tempo difficult to counter
- Campaign intensity continues to escalate, with 5,095 attacks representing a 24.6% increase over the previous week’s Poland campaign (4,087 attacks)
For a detailed breakdown of all 141 targeted domains, 131 IP addresses, and comprehensive technical indicators, organizations can access the full interactive threat intelligence dashboard. If you would like a more detailed breakdown for your organization or sector, you can reach out to us at[email protected].
SOCRadar continues our commitment to protecting European organizations with enhanced DDoS threat intelligence capabilities. We are continuously analyzing and showcasing free DDoS threat intelligence through SOCRadar Labs, providing real-time visibility into ongoing campaigns targeting Europe.

