Investigating the Infrastructure Behind DDoSia's Attacks
Essential information
- Published
- 16/12/2025 09:50
- Modified
- 21/12/2025 19:32
- Tags
- 2025-12-16 bobik ddos ddosia noname057(16)
- Related entities
- 138 observables, 1 intrusion sets (apt), 12 techniques (mitre), 2 malware, 7 others
Description
DDoSia, a participatory DDoS tool created by Russian hacktivists in 2022, is operated by the pro-Russian group NoName057(16). It relies on volunteers to contribute network resources for attacks, primarily targeting Ukraine, European allies, and NATO states. Censys has monitored DDoSia since mid-2025, observing an average of 6 control servers with short lifespans. The tool uses a multi-layered control infrastructure, with systems typically hosted on VPS providers. Despite law enforcement disruption in July 2025, DDoSia quickly reconstituted and resumed operations. The infrastructure is characterized by rapid changes, with most servers active for less than 24 hours. Attacks focus on government, military, transportation, public utilities, financial, and tourism sectors.