MalwareUsed by 1 actor

Bobik

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

NoName057(16)

In September, Avast reported on the threat actor using the Bobik botnet to conduct their DDoS attacks.

via sentinelone labssentinelone.com

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Impact

2 techniques

T1498Network Denial of ServiceEvidence2

NoName057(16) emerged in March 2022, just days after Russia’s full-scale invasion of Ukraine, and has since waged a sustained, large-scale distributed denial-of-service (DDoS) campaign through its volunteer-driven “DDoSia” platform.

T1498.001Direct Network FloodEvidence1

DDOSIA is a multi-threaded application that conducts denial-of-service attacks against target sites by repeatedly issuing network requests.

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

4 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app1 year ago

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

breakglass intelNews

Apr 10, 2026

AllSyDevs C2 Infrastructure - Breakglass Intelligence - Breakglass Intelligence

A .NET malware variant communicating with the same C2 infrastructure, identified in detections as MSIL/Bobik and associated with the broader stealer/RAT operation.

recorded future blogNews

Jul 22, 2025

Inside DDoSia: NoName057(16)’s Pro-Russian DDoS Campaign Infrastructure

An earlier botnet referenced as the predecessor to DDoSia.

sentinelone labsNews

Apr 11, 2025

NoName057(16) - The Pro-Russian Hacktivist Group Targeting NATO | SentinelOne

Botnet reportedly used by NoName057(16) to conduct DDoS attacks.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.