DDoSia Targets Spain: Weekly DDoS Threat Intelligence Analysis

Analysis Period: November 24 to 30, 2025

NoName057(16), a pro-Russian hacktivist group, ran a coordinated DDoS campaign during the week of November 24–30, 2025. The group used its volunteer-powered DDoS tool, DDoSia, and shared target lists through Telegram. The data shows a clear pivot toward Spain. Government services, transport systems, energy, and public platforms faced repeat targeting at national, regional, and municipal levels.

1. Executive Summary

This week’s data indicates a Spain-centric operation with heavy pressure on Granada and Galicia. National institutions such as the Constitutional Court and CCN-CERT were also targeted. Key figures:

Total attack commands: 7,939
Unique hosts: 147
Unique IPs: 173
Top port: 443 (HTTPS)

Targets span government entities, metropolitan transit, telecom and IT services, energy sector associations, and citizen portals. The selection suggests an aim to disrupt daily life and erode trust in public services.

Executive summary table

2. Key Graphs

Government, critical infrastructure, and private sector formed the core of activity, with government making up the largest share of the top list.

Target industry distribution

Most common methods this week:

GET: 2,375
SYN: 1,799 (includes “syn” and “SYN”)
POST: 1,172
ACK: 784
SYN-ACK: 661
UDP Flood: 477
PING: 564

These methods reflect a mix of L3/L4 and L7 activity, consistent with DDoSia playbooks.

Attack Distribution tables

Top Ports

Top targeted ports

Port 443 led by a wide margin, followed by port 80 and a long tail of common service ports.

3. Country Highlights

The campaign was multi-country, but Spain received the largest share of volume and attention. The dataset and target naming indicate strong concentration within Spain’s public sector and critical services.

Top targeted hosts with dominantly .es ccTLD

Spain

Signals: Highest volume; national, regional, and municipal bodies targeted.
Notes: Strong focus on Granada and Galicia. High-value national institutions included the Constitutional Court and CCN-CERT. Public transport and energy sector entities appeared several times.

4. Weekly Shift Overview

Last week’s focus on Scandinavia gave way to a Spain-heavy set of targets. The intensity on municipal and regional services increased, while national-level sites saw symbolic hits. The pattern suggests rotational pressure, likely aligned to media cycles and political messaging.

5. Sector Breakdown

Key sectors targeted this week:

Government and municipalities
Public transport and metro systems
Energy and utilities associations
Telecom, ISP, and IT service providers
Citizen digital service portals and information sites

Government and transport formed the largest share of attack commands across the top targets.

6. Top 20 Most Targeted Hosts

www.turgranada.es — 220 (Critical)
www.granada.org — 176 (Critical)
www.innovasur.com — 161 (Critical)
metropolitanogranada.es — 160 (Critical)
www.xunta.gal — 144 (Critical)
www.arbitramadrid.com — 136 (Critical)
www.tribunalconstitucional.es — 136 (Critical)
www.sedigas.es — 130 (Critical)
www.ccn-cert.cni.es — 128 (Critical)
eme-es.com — 128 (Critical)
www.policia.es — 126 (Critical)
www.madrid.org — 126 (Critical)
www.infodefensa.com — 114 (Critical)
www.grupoevertec.com — 96 (High)
www.fundaciontripartita.org — 96 (High)
sepe.es — 96 (High)
www.ingenia.es — 96 (High)
www.empleo.gob.es — 96 (High)
www.sanidad.gob.es — 96 (High)
www.navarra.es — 93 (High)

Many of these belong to municipal portals, regional governments, transport services, national institutions, and sector associations, which makes them high-impact targets for broad disruption.

7. Attack Method Trends

Port 443 remained the dominant target across sites.
GET and SYN continued as the primary methods, with POST, ACK, and SYN-ACK supporting the mix.
Attack types reflected TCP and HTTP vectors alongside HTTP/2 and HTTP/3, with occasional slow application patterns such as nginx_loris. This aligns with DDoSia’s multi-vector style.

8. Threat Actor Summary

NoName057(16) is a pro-Russian hacktivist group active since 2022. The group coordinates volunteer-based DDoS activity and distributes target lists via Telegram. Target selection often aligns with geopolitics around NATO and the EU. Weekly rotations and symbolic selections are common, which helps sustain attention and pressure.

9. Defensive Recommendations

Use managed DDoS protection from providers such as Cloudflare, Akamai, or AWS Shield.
Enforce traffic filtering and rate limits at edge locations.
Monitor for sudden surges on HTTPS services and API gateways, especially on port 443.
Keep incident response runbooks updated and test escalations.
Share indicators and event details with national CERT teams.
Apply temporary geofencing or stricter WAF rules during peak waves.
Prepare public communication for citizen-facing portals and transport systems.

10. Conclusion

This week featured a clear shift toward Spain. Transport, municipal services, and national institutions faced sustained pressure. DDoSia maintained its weekly rhythm and multi-vector model. Close monitoring and rapid mitigation will reduce operational impact if rotations continue in the coming cycle.

If you would like a more detailed report, contact [email protected].