DDoSia Shifts Its Focus Toward Sweden: Weekly DDoS Threat Intelligence

Analysis Period: November 17 to 23, 2025

NoName057(16), a pro-Russian hacktivist group, conducted coordinated DDoS attacks against multiple NATO and EU countries during the week of November 17-23, 2025. The group used its volunteer-powered DDoS tool, DDoSia, to target government services, transport systems, telecom networks, and public platforms across several regions.

The data shows a clear shift toward Sweden as the main focus of this week’s campaign, replacing Denmark, which led the previous wave.

1. Executive Summary

DDoSia changed its target priorities during this week. Sweden became the main focus with the highest attack count, while Denmark, the lead from the previous week, moved into second place. The group kept distributing new DDoS target lists through its Telegram channels.

This week’s total numbers:

• Total attack targets: 5,112
• Countries/domains affected: 9
• Unique hosts: 169
• Unique IPs: 170

The main targets included government services, municipalities, transport systems, telecom networks, and digital public platforms.

2. Key Graphs

Top countries this week:

1. Sweden – 1,868 attacks
2. Denmark – 1,092 attacks
3. Poland – 795 attacks
4. Ukraine – 605 attacks
5. International (.com) – 439 attacks

Attack Methods Distribution

Most common methods:

• GET: 1,313
• SYN: 1,100
• ACK: 743
• SYN-ACK: 648
• POST: 471
• UDP Flood: 446
• PING: 336

3. Country Highlights

1. Sweden

• Total attacks: 1,868
• Unique hosts: 54
• Unique IPs: 52
• Top port: 443
• Notes:
  • Sweden became the clear top target.
  • Many municipal, public service, and regional government sites were included.
  • Telecom and energy services also appeared often.
  • Several Swedish domains reached high or critical threat levels.

2. Denmark

• Total attacks: 1,092
• Unique hosts: 40
• Unique IPs: 45
• Top port: 443
• Notes:
  • Denmark was the main target last week, but activity shifted to Sweden.
  • Government portals, public information sites, and political pages stayed in the list.

3. Poland

• Total attacks: 795
• Unique hosts: 18
• Unique IPs: 21
• Top port: 443
• Notes:
  • Transport systems, metro services, and road networks were heavily targeted.

4. Ukraine

• Total attacks: 605
• Unique hosts: 28
• Unique IPs: 23
• Notes:
  • Ukraine remains a stable target linked to the active conflict.

5. Spain

• Total attacks: 172
• Unique hosts: 6
• Unique IPs: 6

Other domains:

• International (.com): 439
• Organizations (.org): 54
• Networks (.net): 51
• Galicia (.gal): 36

4. Weekly Shift Overview

This week showed a clear move from Denmark to Sweden:

• Denmark led the previous week.
• Sweden took over as the main target, with a strong increase in municipal and regional government targets.
• The rest of Scandinavia did not show similar growth, which indicates this is a weekly rotation rather than a region-wide campaign.

5. Sector Breakdown

Key sectors targeted:

• Government and municipal websites
  

• Public transport (metro, bus, rail, road)
  

• Telecom and ISP platforms
  

• Energy and utilities
  

• Citizen digital service portals

Transport and government services showed the highest volume across multiple countries.

6. Top 20 Most Targeted Hosts

1. metro.waw.pl — 90 (Critical)
2. regionvasterbotten.se — 78 (Critical)
3. www.lagradet.se — 66 (Critical)
4. www.fmn.dk — 66 (Critical)
5. www.e-podroznik.pl — 66 (Critical)
6. www.autostrada-a4.com.pl — 60 (Critical)
7. drogi.gddkia.gov.pl — 57 (High)
8. borgernesparti.dk — 56 (High)
9. mpk.lodz.pl — 54 (High)
10. mpk.wroc.pl — 51 (High)

Many of these hosts belong to transport providers, municipal websites, and public digital services, making them high-impact targets.

7. Attack Method Trends

• Port 443 was the main target across all countries.
• GET and SYN remained the top methods.
• There is notable use of HTTP/2 and HTTP/3 attacks in this cycle.
• Layer 3/4 (SYN, ACK) and Layer 7 (HTTP GET/POST) attacks continue to mix, which fits DDoSia’s usual pattern.

8. Threat Actor Summary

NoName057(16) is a pro-Russian hacktivist group active since 2022. The group operates with volunteer-based DDoS tools and distributes target lists through Telegram. Its targets often match political events, sanctions, or public statements by NATO and EU members. The weekly patterns show that the group rotates focus to sustain pressure and attention.

9. Defensive Recommendations

These steps help reduce the impact of similar campaigns:

• Use DDoS protection (Cloudflare, Akamai, AWS Shield).
• Add traffic filtering and rate limits.
• Monitor for sudden spikes on HTTPS (port 443).
• Keep incident response plans updated.
• Share indicators with national CERT teams.
• Apply temporary geofencing during major attack waves.

10. Conclusion

This week marked a clear move toward Sweden, replacing Denmark as the main focus. Transport, municipal services, and public digital platforms received the most pressure. DDoSia kept its weekly rhythm, and shifts like this show how quickly the group rotates targets. Close monitoring and fast defensive actions will help reduce disruption in upcoming cycles.

If you’d like a more detailed report, feel free to contact us at [email protected]