NoName057(16) and DDoSia Project Analysis: Russia’s Most Persistent Hacktivist Operation

New SOCRadar Whitepaper Reveals the Inner Workings of DDoSia and Pro-Russian Cyber Aggression

Since March 2022, a sophisticated pro-Russian hacktivist group has been waging a relentless cyber campaign against Western institutions. Today, SOCRadar releases an in-depth analysis exposing NoName057 (16) and its custom denial-of-service weapon, the DDoSia Project.

A Voluntary Botnet with a Political Mission

Unlike traditional botnets that compromise systems without user knowledge, DDoSia operates on a disturbing premise: thousands of willing participants knowingly install the tool and coordinate attacks against targets designated by the group’s operators. Through propaganda, gamification, and cryptocurrency rewards, NoName057(16) has built a distributed attack force that requires minimal technical skill to join, yet demonstrates remarkable operational sophistication.

Key Findings from Our Analysis

Our comprehensive research reveals:

• Rapid Technical Evolution: DDoSia has progressed through five major versions since 2022, each adding stronger evasion capabilities, including encrypted C2 communication, user-agent rotation, proxy use, and anti-analysis features.
• Geopolitical Coordination: Attack campaigns consistently align with political events—such as NATO accessions, sanctions announcements, and military aid to Ukraine—typically launching within 24-72 hours of the triggering event.
• Extensive Target Profile: Primary victims include government bodies (40-50% of attacks), financial institutions (17-23%), and media outlets (12-18%) across NATO member states and Ukraine supporters.
• Multi-Platform Reach: The tool supports Windows, Linux, and Android systems, with Dockerized versions for easy VPS deployment.

The Concerning Tactics Behind DDoSia

Our technical analysis uncovered several sophisticated capabilities:

• Multiple Attack Vectors: HTTP/HTTP2 floods, TCP SYN floods, UDP floods, Slowloris attacks, and TLS handshake exploitation
• Evasion Techniques: Runtime string obfuscation, AES-GCM encryption, cookie handling to bypass anti-bot systems, and anti-VM detection
• Dynamic Targeting: C2 servers distribute updated target lists without requiring binary redistribution
• Device-Specific Assignment: Attack methods adapt based on the affiliate device capabilities

A Propaganda Machine Driving Cyber Warfare

NoName057(16)’s success is partly due to its sophisticated propaganda operation. Through active Telegram channels with over 20,000 followers, the group:

• Frames attacks as “self-defense” against Western aggression
• Uses gamification with points, rankings, and leaderboards
• Provides real-time “evidence” of successful disruptions
• Creates a sense of patriotic duty among Russian nationalists

Looking Ahead: What Organizations Need to Know

As long as Russia-Ukraine tensions persist, NoName057(16) will likely remain active and continue evolving. Our analysis projects potential developments, including:

• Integration of machine learning for adaptive attacks
• Increased decentralization using blockchain technology
• Expansion into IoT environments
• Rapid CVE exploitation integration

Download the Full Report

The complete whitepaper provides:

• Detailed technical analysis of DDoSia versions 1-5
• MITRE ATT&CK TTPs mapping
• Indicators of Compromise (IoCs)
• Attack method breakdowns and victimology analysis
• Infrastructure correlation and C2 tracking
• Future trend predictions

Download: Inside NoName057(16)’s DDoSia Campaign

Protect Your Organization

Understanding this threat is the first step toward defense. SOCRadar’s Threat Intelligence platform provides real-time tracking of hacktivist campaigns, including NoName057(16) activities, infrastructure changes, and emerging attack patterns.

Stay informed. Stay protected.