A pro-Russian hacktivist group known as NoName057(16) is using a volunteer-distributed distributed denial-of-service (DDoS) tool to disrupt government, media, and institutional websites tied to Ukraine and Western political interests.
The group has been active since at least 2022 and relies on a custom denial-of-service platform, dubbed DDoSia, that allows individuals with minimal technical skill to participate in coordinated attacks against target entities. Many of NoName057(16)'s campaigns have often coincided with major geopolitical events — such as Western sanctions, diplomatic actions, or military aid announcements — that it quickly frames as provocations worthy of retaliatory cyberattacks, and are similar to other ideologically driven cyber operations.
Sustained, Politically Motivated Campaigns
"NoName057(16) runs a sustained, politically driven DDoS program that looks more like an organized 'community operation' than a classic covert botnet," says Aaron Jornet, threat researcher at SOCRadar, which released a detailed analysis of the operation this week. "DDoSia is a purpose-built tool, distributed through a volunteer model where participants knowingly install the client, receive targets and settings from command-and-control infrastructure, and stay engaged through propaganda and gamified incentives," he says.
Related:ClickFix Campaign Serves Up Fake Blue Screen of Death
SOCRadar's analysis showed that NoName057(16) uses a repeatable playbook when carrying out its carefully planned attacks. After identifying its targets, the hacktivist outfit broadcasts the upcoming campaign through its communication networks, deploying political rhetoric and propaganda to mobilize supporters for the planned operation. SOCRadar found NoName057(16) often communicating campaign details with supporters via channels such as Telegram and X.
The next phase involves distributing attack parameters to all supporters who volunteer to have the DDoSia client running on their systems. NoName057(16)-managed command-and-control (C2) servers provide participants with target information and technical settings, allowing attacks to be coordinated across hundreds or thousands of volunteer-operated nodes. Affiliates — the volunteers that are part of the botnet — are assigned specific attack types based on the capabilities of their systems, enabling the group to sustain pressure on targeted services for hours or even days at a time, according to SOCRadar.
"NoName057(16) focuses on efficiency and persistence rather than extreme bandwidth," Jornet says. "The group uses application-layer techniques such as HTTP and HTTP/2 abuse, HTTP HEAD floods, slow-connection methods, and cache-busting to force traffic past [content delivery networks] and load origin servers."
Related:A Good Year for North Korean Cybercriminals
Like many other DDoS operators, the group also runs multivector campaigns, combining TCP- and UDP-based floods with application-layer attacks, to increase pressure on targets and make recovery harder even when DDoS traffic volume itself is moderate.
... continue reading