Spain Under DDoS Barrage: Weekly DDoS Threat Intelligence Analysis
Analysis Period: February 16 – 23, 2026
Between February 16 and 23, 2026, SOCRadar identified an extensive coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) using their DDoSia attack tool. The campaign resulted in 8,044 recorded attack entries, targeting 167 unique domains and 180 unique IP addresses across multiple countries, representing a concentrated strategic focus on Spain as the primary target nation while simultaneously maintaining multi-front pressure across Europe and Ukraine.
This campaign marks a significant operational intensification against Spanish infrastructure, with Spain accounting for 49.4% of all attacks (3,975 targets across .es, .gal, .eus, and .cat domains), representing the group’s most sustained and concentrated effort against a single NATO member state during the analysis period. The operations simultaneously maintained pressure on Ukraine (10.1%), and targeted Germany (2.5%), Denmark (2.0%), Sweden (0.8%), and a significant volume of international commercial entities (22.2%). The concentration on Spain demonstrates deliberate, intelligence-driven target selection aligning with geopolitical developments tied to Spanish government positions on Ukraine support and NATO commitments.
Executive Summary Table:
| Metric | Value |
| Analysis Period | February 16 – 23, 2026 |
| Total Attack Entries | 8,044 |
| Unique Domains Targeted | 167 |
| Unique IP Addresses | 180 |
| Primary Countries | Spain (49.4%), Generic/Int’l (22.2%), Ukraine (10.1%), Galicia/ES (4.8%), Germany (2.5%), Basque/ES (2.3%), Denmark (2.0%), Other (6.7%) |
| Most Targeted Port | 443 (HTTPS) – 69.8% of attacks |
| Threat Actor | NoName057(16) |
| Attack Tool/Project | DDoSia |
For comprehensive, real-time DDoS threat intelligence covering ongoing campaigns across Europe, explore SOCRadar’s free DDoS intelligence dashboard where we continuously analyze and showcase actionable threat data.
1. Campaign Analysis
Attack Volume and Scope
During the seven-day analysis period, the campaign demonstrated exceptional geographic concentration with Spain as the overwhelmingly dominant target, receiving nearly half of all recorded attack entries. The campaign’s primary focus on Spain (49.4% – 3,975 attacks) represents NoName057(16)’s most intensive sustained operation against Iberian infrastructure to date, indicating a deliberate strategic decision to maximize impact on a single high-profile NATO and EU member state.
Geographic Distribution:
- Spain (.es) accounted for 49.4% of all attack entries (3,975 attacks) targeting 66 unique organizations
- Generic/International (.com/.org/.net) comprised 22.2% of attacks (1,783 attacks) targeting 30 unique organizations
- Ukraine (.ua) received 10.1% of attacks (813 attacks) targeting 23 unique organizations
- Spain – Galicia (.gal) received 4.8% of attacks (389 attacks) targeting 5 unique organizations
- Germany (.de) received 2.5% of attacks (198 attacks) targeting 6 unique organizations
- Spain – Basque Country (.eus) received 2.3% of attacks (186 attacks) targeting 3 unique organizations
- Denmark (.dk) received 2.0% of attacks (161 attacks) targeting 16 unique organizations
- Sweden (.se), Catalonia (.cat), and others accounted for the remaining 6.7%
Distribution by Country (SOCRadar DDoS Threat Intelligence)
This distribution reflects a deliberate and sustained operational focus on Spain and its autonomous regions, with Galicia, the Basque Country, and Catalonia each receiving targeted attention — suggesting awareness of Spain’s complex regional political landscape and the symbolic value of disrupting both national and regional government institutions.
The geographic concentration on Spain demonstrates strategic intelligence gathering and target selection, focusing on transportation infrastructure, national defense systems, regional parliaments, and energy sector entities across multiple cities including Madrid, Málaga, Valencia, Granada, A Coruña, and Bilbao. This broad geographic spread within Spain indicates a deliberate strategy to create a nationwide sense of vulnerability rather than concentrating on a single region.
The sustained nature of attacks over seven consecutive days (February 16–23) with 26 distinct target list updates — including multiple updates within single days on February 19 alone (5 updates in 20 minutes) — indicates highly coordinated and rapidly adaptive operational planning with real-time target list management.
Targeted Sectors
The campaign demonstrated a comprehensive multi-sector targeting strategy with particular emphasis on critical national infrastructure and government services across Spain, while maintaining simultaneous pressure on Ukrainian and European targets:
Distribution by Industry (SOCRadar DDoS Threat Intelligence)
Key targeted sectors included:
- Critical Infrastructure – Transportation (22%) – Metro systems, intercity buses, regional railways, aviation, public transit authorities
- Government & Public Sector (25%) – Federal ministries, regional parliaments, municipal councils, defense institutions
- Critical Infrastructure – Energy (10%) – Natural gas associations, gas distribution companies, renewable energy organizations, energy R&D
- Private Sector – Logistics & Trade (8%) – Shipping agents, customs brokers, logistics companies
- Defense & Cybersecurity (7%) – National intelligence services, military branches, cybersecurity organizations, defense manufacturers
- Private Sector – Other (28%) – Finance, media, telecom, construction, and other commercial entities
The significant government infrastructure targeting (25%) focused specifically on multiple levels of Spanish administration:
- National Government: Ministry of Economy (portal.mineco.gob.es), State Procurement (contratacioncentralizada.gob.es, contrataciondelestado.es), Tax Authority (sede.agenciatributaria.gob.es), Ministry of Justice (www.mjusticia.gob.es), Ministry of Finance (www.hacienda.gob.es), Recovery Plan portal (planderecuperacion.gob.es)
- Regional Parliaments: Canary Islands Parliament (www.parcan.es), Basque Parliament (www.legebiltzarra.eus), Galicia Parliament (www.parlamentodegalicia.es), Andalusia Parliament (www.parlamentodeandalucia.es), Valencia Parliament (www.cortsvalencianes.es), Madrid Assembly (www.asambleamadrid.es)
- Regional/Municipal Governments: Murcia (web.murcia.es), Navarra (www.navarra.es), Asturias (www.asturias.es), Valencia (www.gva.es), Toledo (www.toledo.es), Palma (www.palma.es), Valladolid Provincial Council
Defense and security sector targeting (7%) included some of Spain’s most sensitive institutions:
- National Intelligence Center (www.cni.es, www.ccn.cni.es, www.ccn-cert.cni.es, rns.ccn-cert.cni.es)
- National Security Council (www.dsn.gob.es)
- Spanish Armed Forces — Air Force (ejercitodelaireydelespacio.defensa.gob.es), Army (ejercito.defensa.gob.es), Navy (armada.defensa.gob.es), Defense portal (www.defensa.gob.es)
- Air Navigation (www.enaire.es)
- Defense manufacturing — El Casco 1920 (www.elcasco1920.com), manufacturer of military ballistic helmets
This defense sector targeting reveals an understanding of strategic supply chain dependencies and demonstrates the group’s intent to disrupt both the operational and informational capacity of Spain’s national security apparatus.
Attack Techniques and Methods
NoName057(16) employed a sophisticated multi-vector attack strategy consistent with previous campaigns and optimized for simultaneous application-layer and transport-layer saturation:
Most common methods observed:
- HTTP GET Flood attacks (29.4% – 2,368 attacks)
- TCP SYN Flood attacks (23.8% – 1,915 attacks)
- HTTP POST-based attacks (12.4% – 1,001 attacks)
- ACK Flood attacks (10.1% – 811 attacks)
- SYN-ACK Flood (8.6% – 692 attacks)
- PING-based attacks (7.8% – 627 attacks)
- UDP Flood (7.1% – 572 attacks)
- Other methods (0.7% – 58 attacks)
Attack Methods Distribution (SOCRadar DDoS Threat Intelligence)
The dominant use of HTTP GET floods (29.4%) combined with TCP SYN floods (23.8%) demonstrates continued emphasis on dual-layer attacks combining application-layer resource exhaustion with transport-layer volumetric flooding. The relatively high proportion of HTTP POST attacks (12.4%) compared to prior campaigns indicates targeted use of form-submission and login endpoint flooding, likely aimed at authentication portals and interactive government services.
Combined transport-layer attacks (SYN, ACK, SYN-ACK) represented 42.5% of all methods, while application-layer HTTP attacks comprised 41.8%, reflecting a near-balanced multi-vector approach designed to simultaneously exhaust both network-layer and application-layer defenses.
Port targeting was heavily skewed toward encrypted services:
- Port 443 (HTTPS): 5,611 attacks (69.8%) — the dominant target, reflecting focus on modern HTTPS government and commercial portals
- Port 80 (HTTP): 1,380 attacks (17.2%) — legacy HTTP systems in government and transport sectors
- Port 22 (SSH): 131 attacks (1.6%) — targeted probing of administrative interfaces
- Port 53 (DNS): 109 attacks (1.4%) — DNS disruption attempts
- Port 21 (FTP): 77 attacks (1.0%) — legacy file transfer services
- Ports 8080, 8443, 3306, 2000, 993: Remaining 9%
Attack Types Distribution:
- TCP-layer attacks: 4,045 attacks (50.3%)
- HTTP/1.1 attacks: 1,669 attacks (20.7%)
- HTTP/2 attacks: 1,508 attacks (18.8%)
- Application-layer attacks (nginx_loris): 709 attacks (8.8%)
- HTTP/3 attacks: 90 attacks (1.1%)
- UDP attacks: 23 attacks (0.3%)
Attack Types Distribution (SOCRadar DDoS Threat Intelligence)
This distribution demonstrates heavily layered attack methodology, with dominant volumetric network-layer floods (TCP: 50.3%) combined with sophisticated application-layer attacks across multiple HTTP protocol versions (HTTP/1.1: 20.7%, HTTP/2: 18.8%, HTTP/3: 1.1%, nginx_loris: 8.8%) designed to bypass rate-limiting defenses and exhaust server resources regardless of protocol version. The nginx_loris component (8.8%) indicates specialized slow-loris attacks effective against inadequately configured web servers — a known vulnerability in public-sector web infrastructure.
2. Most Targeted Organizations
The campaign targeted a strategically selected mix of national government services, regional institutions, critical transportation infrastructure, energy sector entities, and defense organizations primarily across Spain, with sustained operations against Ukraine and targeted strikes across Germany, Denmark, and Sweden. The selection demonstrates intelligence-driven prioritization aligned with maximum geopolitical and societal impact.
Spain (Primary Target – 49.4%)
Top 10 Most Targeted Spanish Organizations:
- www.turgranada.es (198 attacks) – Patronato de Turismo de Granada (Government – Regional Tourism Authority)
- Strategic Reason: Granada’s tourism authority is central to Andalusia’s economy. Disrupting it creates direct economic impact and media visibility as tourists and travel businesses are affected.
- www.parcan.es (171 attacks) – Parliament of the Canary Islands (Government – Regional Parliament)
- Strategic Reason: Targeting democratic legislative institutions undermines governance credibility and signals capability against Spain’s autonomous regional political structures.
- metromalaga.es (162 attacks) – Metro de Málaga (Critical Infrastructure – Urban Transportation)
- Strategic Reason: Urban transit disruption causes immediate, visible civilian impact, creating media coverage and public frustration that serves the group’s psychological warfare objective.
- www.crtm.es (120 attacks) – Consorcio Regional de Transportes de Madrid (Critical Infrastructure – Metropolitan Transport)
- Strategic Reason: Madrid’s transport consortium coordinates bus, metro, and rail services for millions of daily commuters — maximum population impact target in the national capital.
- www.sedigas.es (117 attacks) – Spanish Gas Association (Critical Infrastructure – Energy)
- Strategic Reason: Targeting the natural gas sector association sends a geopolitical signal about energy dependency and aligns with Russia’s broader messaging around European energy security.
- socibusventas.es (114 attacks) – Socibus (Critical Infrastructure – Intercity Transportation)
- Strategic Reason: Intercity bus operator connecting Andalusia and Madrid disrupts civilian mobility and inter-city connectivity across southern Spain.
- contratacioncentralizada.gob.es (112 attacks) – Central State Procurement (Government – Federal Digital Services)
- Strategic Reason: Disrupting centralized procurement portals directly impedes government operational capacity and public contract transparency.
- www.tramalacant.es (108 attacks) – TRAM Metropolità d’Alacant (Critical Infrastructure – Urban Transportation)
- Strategic Reason: Alicante metropolitan tram system serves a major tourist and residential area — disruption maximizes civilian and economic impact in a coastal economic hub.
- web.murcia.es (108 attacks) – Region of Murcia Government Portal (Government – Regional)
- Strategic Reason: Regional government portal disruption impairs citizen access to essential administrative services across the Murcia region.
- administracion.gob.es (108 attacks) – Spanish National Administration Portal (Government – Federal Digital Services)
- Strategic Reason: The central gateway to Spanish government digital services — disruption affects citizens’ access to tax, social security, and administrative systems nationwide.
Geographic Pattern Analysis – Spain:
The targeting reveals a deliberately broad national footprint spanning multiple major cities and autonomous communities:
- Madrid (multiple targets): Capital city — transport, government ministries, parliament
- Andalusia (multiple targets): Granada tourism, Málaga metro, Sevilla bus, Andalusia parliament and regional government
- Valencia/Alicante (multiple targets): TRAM Alicante, Valencia metro, Valencia parliament, Valencia government
- Galicia (multiple targets): A Coruña city council and digital identity, Santiago de Compostela, Galicia regional government, Galicia tourism
- Basque Country (multiple targets): Basque parliament, Bilbao city, Basque government portal
- Canary Islands (targeted): Canary Islands Parliament
- Other regions: Murcia, Navarra, Asturias, La Rioja, Catalonia, Castilla y León, Toledo
This pan-regional targeting strategy prevents Spanish authorities from concentrating defensive resources in a single location and maximizes the nationwide psychological and operational impact of the campaign.
Notable High-Value Targets Beyond the Top 10:
- National Intelligence Center (CNI): www.cni.es, www.ccn.cni.es, www.ccn-cert.cni.es — Spain’s primary intelligence and cyber-defense bodies
- National Security Council: www.dsn.gob.es — Coordinating body for national security crises
- Military branches: Air Force, Army, and Navy portals under defensa.gob.es
- ENAIRE: Spain’s air navigation service provider
- IMDEA Energy Institute: National energy R&D center (energia.imdea.org — top targeted IP at 207 attacks)
- Stock Exchange: www.bolsasymercados.es — Spain’s primary financial markets operator
- Talgo: www.talgo.com — Major Spanish high-speed rail manufacturer and strategic defense supplier
Ukraine (Secondary Target – 10.1%)
Ukraine received sustained attacks (10.1% – 813 attacks) focused on government administration, transportation, and regional authorities including:
- Zaporizhzhia regional administration (zp.gov.ua)
- Mariupol City Council (mariupolrada.gov.ua) — the war-affected city’s administrative portal
- Dnipropetrovsk regional administration (adm.dp.gov.ua, tec.dp.ua)
- Poltava Regional Council (www.rada-poltava.gov.ua)
- SKM Railway (skm.com.ua, z.skm.com.ua, zbx.skm.com.ua) — multiple Ukrainian commuter rail portals
- L4 Networks (l4.ua, home.l4.ua) — Ukrainian internet service provider
- Sumy online services (online.sumy.ua, tks.sumy.ua)
- Agricultural sector (agro-ukraine.com) — targeting Ukraine’s critical food export industry
- Aviation manufacturing (aeroprakt.kiev.ua, vertol.com.ua) — defense and aerospace manufacturers
The continued Ukrainian targeting demonstrates maintained pressure on both civilian infrastructure and defense-adjacent sectors, aligning with NoName057(16)’s core anti-Ukraine operational objective.
Germany (Tertiary Target – 2.5%)
Germany received 198 attacks across 6 unique hosts, including:
- S-Bahn Hannover (frontend-api.sbahn-hannover.de) — regional rail network API
- VBB Berlin-Brandenburg (www.vbb.de) — Berlin’s transport association
- Deutsche Bahn (www.bahn.de) — Germany’s national railway operator
- Start NI Mitte (start-ni-mitte.de) — mobility services
- VMV (www.vmv.de) — Mecklenburg-Vorpommern transport association
The concentration on German transportation infrastructure is consistent with NoName057(16)’s broader strategy of targeting transit systems to create visible civilian disruption in NATO member states.
Denmark (Fourth Target – 2.0%)
Denmark received 161 attacks across 16 unique hosts, focusing on:
- Political parties: Konservative (konservative.dk, login.konservative.dk), Radikale Venstre (radikalevenstre.dk), Socialistisk Folkeparti (socialistiskfolkeparti.dk), Borgernes Parti (borgernesparti.dk)
- Judiciary: Courts (byret.dk), Commercial Court (handelsretten.dk), Director of Public Prosecutions (rigsadvokaten.dk)
- Energy: Energinet (energinet.dk), NRG (www.nrg.dk)
- Municipal: Ringsted (ringsted.dk), Taarnby (www.taarnby.dk)
- Digital services: Borger.dk (www.borger.dk) — Denmark’s citizen services portal
- Logistics: PostNord (netbutik.postnord.dk), ScanGl (www.scangl.dk)
The targeting of Danish political parties alongside judiciary and energy infrastructure demonstrates a broader strategy of undermining democratic and institutional trust in NATO member states.
3. Threat Actor Overview: NoName057(16)
NoName057(16) is a pro-Russian hacktivist collective that emerged in March 2022 following Russia’s full-scale invasion of Ukraine. The group has established itself as one of the most persistent and operationally consistent hacktivist actors conducting sustained DDoS campaigns against nations supporting Ukraine, NATO member states, and EU institutions.
The group operates through a crowdsourced, volunteer-driven model using the custom DDoSia botnet framework distributed via Telegram channels. This operational model provides a distributed attack infrastructure, plausible deniability for state involvement, and the ability to mobilize thousands of volunteer participants globally to execute coordinated attacks at scale.
Threat actor card of NoName057(16)
DDoSia Framework
The technical infrastructure supporting NoName057(16) operations centers on the DDoSia attack tool, which:
- Provides a user-friendly client interface for non-technical volunteer participants
- Receives centralized target lists updated multiple times daily (26 updates in 7 days — including 5 updates within 20 minutes on February 19)
- Implements multiple simultaneous attack vectors (TCP floods, HTTP floods, application-layer nginx_loris attacks, UDP floods)
- Includes evasion techniques designed to bypass basic DDoS protections and rate limiting
- Reports attack metrics back to central infrastructure for performance tracking and incentivization
- Coordinates distributed attacks across thousands of volunteer participants in multiple time zones
The rapid-fire update cadence observed on February 19 (updates at 07:00, 07:05, 07:10, 07:15, and 07:20) demonstrates real-time operational agility — the ability to pivot targets, adjust attack parameters, and respond to defensive measures within minutes.
Geopolitical Alignment
NoName057(16) operations consistently align with Russian geopolitical objectives, with targeting prioritizing:
- NATO member states that have strengthened support for Ukraine or increased defense spending
- Ukraine itself, maintaining continuous pressure on government administration and critical infrastructure
- European Union member states involved in sanctions enforcement or arms supply decisions
- Defense and security sector entities in targeted nations to disrupt supply chains and signal intelligence capability
- Critical infrastructure across transportation, energy, and financial sectors to maximize civilian disruption and economic signaling
The Spain campaign specifically targets a NATO member state with active participation in European defense frameworks, Ukraine support mechanisms, and EU foreign policy — making it a high-value symbolic and operational target from the group’s geopolitical perspective.
Recent Activity Patterns Evolution
This Spain-focused campaign represents the latest evolution in NoName057(16)’s geographic rotation strategy:
- Late January 2026: UK-primary (55%), Ukraine (13%), Czech Republic (5%), Commercial (27%)
- February 9–15, 2026: Japan-primary (39.4%), Ukraine (20.4%), Denmark (15.1%), Commercial (14.3%)
- February 16–23, 2026: Spain-primary (49.4%), Commercial/Intl (22.2%), Ukraine (10.1%), Germany (2.5%), Denmark (2.0%)
This pattern demonstrates a systematic geographic rotation strategy — maintaining persistent multi-front operations while concentrating the majority of attack volume on a rotating primary target. The shift from Japan back to a European NATO member state suggests responsiveness to real-time geopolitical events and a deliberate strategy of preventing any single country from adapting its defenses before the next campaign cycle begins.
Key Characteristics
- Operational Model: Volunteer-driven crowdsourced attacks via the DDoSia botnet tool with global participant distribution
- Coordination: Telegram channels for target list distribution, participant recruitment, and operational communication
- Motivation: Pro-Russian hacktivist collective aligned with Kremlin geopolitical messaging, targeting NATO and EU member states
- Technical Capability: Multi-vector attacks combining volumetric (TCP/UDP floods) and application-layer techniques (HTTP floods, nginx_loris, HTTP/2, HTTP/3)
- Target Selection: Intelligence-driven, strategically prioritized targeting covering government, defense, transportation, energy, and finance sectors
- Persistence: Continuous operations with sustained pressure over extended periods and multiple daily target list updates
- Scale: 8,044 attacks in one week against 167 unique targets across Spain, Ukraine, Germany, Denmark, Sweden, and international entities
- Sophistication: Medium-to-high technical capability with real-time target adaptation and multi-vector coordination
- Attribution: Consistent pro-Russian hacktivist activity with documented alignment with Kremlin geopolitical objectives
4. Mitigation and Recommendations
Organizations within affected sectors — particularly those in Spain, Ukraine, Germany, Denmark, and other NATO member states — should consider implementing or strengthening the following defensive measures:
Immediate Actions
- Deploy cloud-based DDoS protection services — Implement Cloudflare, Akamai, AWS Shield, Azure DDoS Protection, or equivalent services to filter attack traffic before it reaches origin infrastructure. This is especially critical for regional government portals and transportation operator websites that may lack enterprise-grade DDoS mitigation.
- Review and update Web Application Firewall (WAF) rules — Ensure WAF configurations can detect and block HTTP/HTTP2/HTTP3 flood patterns, particularly GET, POST, and nginx_loris slow-loris variants that are central to the DDoSia tool’s methodology.
- Configure rate limiting at multiple layers — Implement rate limiting at the web application, reverse proxy (nginx, Apache), load balancer, and network firewall levels to prevent application-layer saturation.
- Enable SYN cookies and TCP hardening — Configure operating systems and network devices to use SYN cookies, reduce TCP timeout values, increase SYN backlog queues, and limit connection table sizes to mitigate TCP flood components.
- Establish traffic baseline monitoring — Implement real-time traffic monitoring with automated alerting for anomalies in request rates, connection counts, and bandwidth utilization to enable rapid detection and response.
- Monitor DDoSia Telegram channels — SOCRadar’s threat intelligence platform monitors DDoSia target lists in near real-time. Organizations can receive advance warning of targeting before attacks reach peak volume.
- Verify geographic redundancy and failover — Ensure critical services have geographic distribution and failover capabilities to maintain availability during regional or infrastructure-specific attacks.
Strategic Measures for Spanish Organizations
- Engage with CCN-CERT — Spanish organizations should immediately coordinate with the National Cryptologic Center’s CERT (CCN-CERT) for threat intelligence sharing, incident response support, and guidance on DDoS mitigation aligned with Spain’s national cybersecurity framework.
- Regional coordination between autonomous communities — Given the campaign’s simultaneous targeting of multiple autonomous regions (Galicia, Basque Country, Catalonia, Andalusia, Valencia), regional IT security teams should establish active information-sharing channels to coordinate defensive responses.
- Prioritize defense sector assets — Given the targeting of CNI, DSN, and military branch portals, defense and national security organizations should ensure their DDoS mitigation posture meets the elevated threat level indicated by this campaign.
- Transportation sector resilience planning — Metro operators, bus companies, and rail systems should implement operational continuity plans that do not rely exclusively on web portals, ensuring passenger information can be communicated through alternative channels during attacks.
- Proactive stakeholder communication — Prepare public communications templates for deployment during service disruptions to minimize reputational damage and maintain public confidence in affected services.
5. Conclusion
The February 16–23, 2026 campaign represents one of NoName057(16)’s most operationally intensive efforts against a single NATO member state, with Spain absorbing nearly half of all recorded attack entries across a seven-day period. The campaign’s breadth — spanning national government ministries, regional parliaments across six autonomous communities, military and intelligence institutions, transportation networks in multiple major cities, and the energy sector — demonstrates sophisticated target selection designed to create a nationwide perception of vulnerability rather than localized disruption.
The campaign’s simultaneous maintenance of pressure on Ukraine, Germany, and Denmark confirms that NoName057(16) continues to operate effective multi-front campaigns — ensuring no single nation can assume it has moved out of the group’s focus even as a new primary target absorbs the majority of attack volume.
If you would like a more detailed report on this DDoS campaign or require customized threat intelligence for your organization, contact [email protected].
SOCRadar continues our commitment to protecting European organizations with enhanced DDoS threat intelligence capabilities. We are continuously analyzing and showcasing free DDoS threat intelligence through SOCRadar Labs, providing real-time visibility into ongoing campaigns targeting Europe.

