DDoSia

DDoSia is a proprietary distributed denial-of-service (DDoS) attack tool/platform operated by the pro-Russian hacktivist group NoName057(16), active since at least early/March 2022. Multiple sources in the provided content describe it as a homegrown, volunteer-powered and crowdsourced DDoS platform that allows individuals with minimal technical skill to participate in coordinated attacks by contributing computing resources. The platform is coordinated primarily through Telegram, where target lists are shared or updated frequently, leaderboards are published, and top participants may receive cryptocurrency payments, monetary rewards, or community recognition. The content also states that DDoSia has been distributed via GitHub and other code-hosting platforms.

The malware/framework has been used extensively in coordinated campaigns against government and private-sector entities, especially in NATO member states and other European countries viewed as hostile to Russian geopolitical interests, as well as Ukraine and other international targets. Reported victim sectors include government agencies, financial institutions, public railways, ports, transportation networks, water utilities, defense-related entities, tourism/travel, sports/Olympic organizations, and other critical infrastructure. Specific campaign reporting in the content ties DDoSia-enabled operations to attacks against targets in Italy, Germany, the United Kingdom, Spain, Denmark, Ukraine, Greenland, Japan, Austria, Finland, and broader international/commercial domains.

Observed attack methods associated with DDoSia in the provided content include HTTP GET floods, HTTP POST floods, HTTP/2 attacks, HTTP/1.1 attacks, HTTP/3 activity, TCP SYN floods, TCP ACK floods, TCP SYN-ACK floods, UDP floods, ICMP/PING floods, nginx_loris/slow-connection attacks, slowloris-style resource exhaustion, and TCP floods against ports including 80, 443, 2222, and 8080. Port 443/HTTPS is repeatedly described as the most targeted service in multiple campaigns. One source in the content also states that DDoSia supports HTTP, HTTPS, and HTTP2 floods.

Technical analysis in the content focuses on the Windows DDoSia client. It requires a client ID generated through a dedicated Telegram bot and stored in client_id.txt alongside the executable. After authentication, the client downloads an encrypted target list from its server, decrypts it locally, and then launches attack threads. Dynamic analysis cited in the content found that the target list exists briefly in cleartext in process memory before being consumed and later becomes mangled during runtime. The analysis identified two WSAStartup calls, with the second occurring after target retrieval/decryption and before the attack phase, making it useful for memory extraction. The content references tooling created to dump and recover targets from memory and provides two Windows sample SHA-256 hashes: 726c2c2b35cb1adbe59039193030f23e552a28226ecf0b175ec5eba9dbcd336e (d_windows_amd64.exe, dated 2023/04/19) and 1b53443ebaabafd6f511d4cf7cb85ddf9fa32540c5dd5621f04a3c5eefa663a9 (d_win_x64.exe, dated 2023/11/09).

The provided content also includes high-confidence attribution reporting that NoName057(16) used DDoSia as its primary DDoS capability and that the Center for the Study and Network Monitoring of the Youth Environment (CISM), described in indictments/advisories as established on behalf of the Kremlin, allegedly developed/customized the tool, funded supporting infrastructure, administered Telegram channels, and selected targets. Overall, the content consistently characterizes DDoSia as the central malware/tooling component enabling NoName057(16)’s coordinated, geopolitically aligned DDoS campaigns.