This post is part of an analysis that I have carried out during my spare time, motivated by a friend that asked me to have a look at the DDosia project related to the NoName057(16) group. The reason behind this request was caused by DDosia client changes for performing the DDos attacks. Because of that, all procedures used so far for monitoring NoName057(16) activities did not work anymore.
The new variant of bots implemented an authentication mechanism to communicate with C2 servers and their proxies. Includes IP address blocklisting, presumably to hinder the tracking of the project.
Learn about NoName057(16), a pro-Russian hacktivist group behind Project DDoSia targeting entities supporting Ukraine. Discover an overview of the changes made by the group, both from the perspective of the software shared by the group to generate DDoS attacks and the specifics of the evolution of the C2 servers. It also provides an overview of the country and sectors targeted by the group for 2024.
NoName057(16) relies heavily on HTTPS application-layer DDoS attacks, with many attacks repeatedly sourced from the same attack harness, networks, and targeting similar countries and industries.
DDoSia is a DDoS attack toolkit used by the pro-Russia hacktivist group NoName057(16) against countries critical the invasion of Ukraine.
The Record by Recorded Future gives exclusive, behind-the-scenes access to leaders, policymakers, researchers, and the shadows of the cyber underground.
