Pro-Russian group NoName057(16) uses a custom denial-of-service tool to mobilize volunteers and disrupt government, media, and institutional sites tied to Ukraine and the West.
DDoSia Powers Affiliate-Driven Hacktivist Attacks
A pro-Russian hacktivist group known as NoName057(16) is using a volunteer-distributed distributed denial-of-service (DDoS) tool to disrupt government, media, and institutional websites tied to Ukraine and Western political interests.
The group has been active since at least 2022 and relies on a custom denial-of-service platform, dubbed DDoSia, that allows individuals with minimal technical skill to participate in coordinated attacks against target entities. Many of NoName057(16)’s campaigns have often coincided with major geopolitical events — such as Western sanctions, diplomatic actions, or military aid announcements — that it quickly frames as provocations worthy of retaliatory cyberattacks, and are similar to other ideologically driven cyber operations.
Sustained, Politically Motivated Campaigns
“NoName057(16) runs a sustained, politically driven DDoS program that looks more like an organized ‘community operation’ than a classic covert botnet,” says Aaron Jornet, threat researcher at SOCRadar, which released a detailed analysis of the operation this week. “DDoSia is a purpose-built tool, distributed through a volunteer model where participants knowingly install the client, receive targets and settings from command-and-control infrastructure, and stay engaged through propaganda and gamified incentives,” he says.
SOCRadar’s analysis showed that NoName057(16) uses a repeatable playbook when carrying out its carefully planned attacks. After identifying its targets, the hacktivist outfit broadcasts the upcoming campaign through its communication networks, deploying political rhetoric and propaganda to mobilize supporters for the planned operation. SOCRadar found NoName057(16) often communicating campaign details with supporters via channels such as Telegram and X.
The next phase involves distributing attack parameters to all supporters who volunteer to have the DDoSia client running on their systems. NoName057(16)-managed command-and-control (C2) servers provide participants with target information and technical settings, allowing attacks to be coordinated across hundreds or thousands of volunteer-operated nodes. Affiliates — the volunteers that are part of the botnet — are assigned specific attack types based on the capabilities of their systems, enabling the group to sustain pressure on targeted services for hours or even days at a time, according to SOCRadar.
“NoName057(16) focuses on efficiency and persistence rather than extreme bandwidth,” Jornet says. “The group uses application-layer techniques such as HTTP and HTTP/2 abuse, HTTP HEAD floods, slow-connection methods, and cache-busting to force traffic past [content delivery networks] and load origin servers.”
Like many other DDoS operators, the group also runs multivector campaigns, combining TCP- and UDP-based floods with application-layer attacks, to increase pressure on targets and make recovery harder even when DDoS traffic volume itself is moderate.
Disruptive But Not Destructive
Jornet says SOCRadar has not been able to determine the kind of DDoS traffic volume that NoName057(16) usually generates in its volunteer-driven attacks because it is usually CDNs, ISPs, and national CERT organizations that hold that data. “Instead, SOCRadar measures scale through attack frequency and scope. In one of our weekly DDoS threat intelligence covering Nov. 24-30, 2025, SOCRadar observed 7,939 DDoS attack commands targeting 147 unique hosts and 173 unique IP addresses,” he says.
Most of the attacks are disruptive but non-destructive, highlighting persistence, repetition, and coordination as the group’s main strengths rather than technical sophistication or high-volume infrastructure-destroying attacks, Jornet says. “However, NoName057(16) has been effective at causing short-term service disruptions before, especially against government and public sector websites with limited DDoS protection.”
After each campaign, NoName057(16) actors focus on visibility and reinforcement. Operators publish screenshots, outage confirmations, and performance statistics across social platforms to keep supporters informed about the outcome of each attack. An internal leaderboard and reward system is available to keep participants engaged. The group then reviews the effectiveness of the operation, adjusts infrastructure or tooling as needed, and begins preparing the next campaign — creating a continuous cycle of selection, execution, and refinement.
The DDoSia attack tool itself has steadily evolved over the years. The first version was more of a proof of concept and worked only on Windows systems. It had limited functionality and relied on simple, easily blocked traffic-flooding techniques and virtually no defense evasion capabilities. Over time, NoName057(16) has kept evolving the tool and transformed it into a relatively sophisticated, modular and multiplatform weapon capable of working in Linux, ARM-based devices, Windows, and Android. The tool now incorporates multiple attack methods and more resilient, encrypted C2 mechanisms. Detection avoidance capabilities on recent DDoSia versions include traffic randomization and the use of realistic client signatures to confuse security tools in hopes they’ll ignore it.
“One of the most important aspects of DDoSia is undoubtedly its ability to execute different attacks depending on the capabilities of the node and the target. This allows it to adapt and remain efficient depending on the campaign and the device launching the offensive,” SOCRadar said in its report. The tool is designed in a way that participants with little technical knowledge can use it to easily generate DDoS traffic against targets, Jornet adds.
