NoName057(16) DDoSia Campaigns Targeting Belgium and NATO Entities
Pro-Russian hacktivist group NoName057(16) conducted a large-scale distributed denial-of-service (DDoS) campaign between December 8 and 14, 2025, primarily targeting organizations in Belgium and Ukraine. The campaign, orchestrated using the group's proprietary DDoSia tool, resulted in over 4,400 recorded attacks against 155 unique domains and 144 IP addresses, affecting both private sector infrastructure—such as telecommunications, utilities, and industrial organizations—and high-value government and defense-related services. The attacks also impacted European Union institutions and international organizations, highlighting the group's broad targeting scope and operational reach.
NoName057(16) is a pro-Russian hacktivist collective with origins linked to the Kremlin-backed Centre for the Study and Network Monitoring of the Youth Environment (CISM). The group leverages Telegram for coordination and GitHub for tool distribution, and has expanded its influence through collaborations with other pro-Russian groups, including the Cyber Army of Russia Reborn (CARR). Their operations have increasingly focused on NATO member states and adversaries of Russian geopolitical interests, with the DDoSia tool serving as a central component in mobilizing and executing attacks against critical infrastructure and government entities across Europe.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
NoName057(16) conducts a large DDoS campaign targeting Belgium and Ukraine
Between December 8 and 14, 2025, NoName057(16) carried out a large-scale DDoS campaign focused mainly on Belgium and Ukraine, with additional attacks affecting EU institutions and international organizations. The activity included 4,435 attack entries against 155 unique domains and 144 IP addresses, using methods such as SYN Flood, HTTP Flood, and ACK Flood, with heavy targeting of HTTPS services.
NoName057(16) begins DDoS attacks using the DDoSia project
Since March 2022, the pro-Russian hacktivist group NoName057(16) has used the crowdsourced DDoSia platform to conduct distributed denial-of-service attacks against NATO- and Europe-linked organizations. The operation recruits participants via Telegram and uses a volunteer-driven model to sustain attacks against sectors including government, transportation, and telecommunications.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
NoName057(16) Hackers Using DDoSia DDoS Tool to Attack Organizations in NATO
cybersecuritynews.com
Open sourceHow NoName057(16) Uses DDoSia to Attack NATO Targets
picussecurity.com
Open sourceDDoSia Campaign Targeting Belgium: Weekly DDoS Threat Intelligence Analysis
socradar.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Pro-Russian Hacktivist DDoS Attacks Target Belgian Telecom Sector
Pro-Russian hacktivist group NoName057(16) claimed responsibility for distributed denial-of-service (DDoS) attacks that briefly disrupted the websites of Belgian telecom operators Proximus and Scarlet. The attacks, which occurred on a Wednesday morning, were detected and mitigated quickly by Proximus technicians, resulting in minimal impact. NoName057(16) also claimed to have targeted an internal Telenet portal, but Telenet denied any disruption or compromise. Ghent University Hospital was also affected by a DDoS attack around the same time, though there is no confirmation of a direct link to the telecom incidents. The attacks are part of a broader campaign announced by a coalition of eight hacktivist groups with pro-Russian and pro-Palestinian affiliations, which have threatened to target Belgium’s internet infrastructure with DDoS operations and potential data exposure. While the coalition itself has not issued operational claims or demonstrated verifiable activity, NoName057(16) continues to act independently, maintaining a pattern of targeting Belgian entities. The campaign is expected to persist, with further DDoS attempts and possible claims of data exposure anticipated in the near future.
Mar 21, 2026
NoName057(16) DDoSia Campaign and Separate Polish Botnet Arrest
SOCRadar reported a coordinated, multi-country **DDoS campaign** attributed to pro-Russian actor **NoName057(16)** using the **DDoSia** tool, with **5,830** recorded attack entries against **160 domains** and **181 IPs** during the Jan 26–Feb 1, 2026 analysis window. The activity showed broad geographic targeting, led by the **UK (55%)**, followed by **Ukraine (12.7%)** and **Czechia (4.9%)**, and focused heavily on public-sector and critical-service targets; the report also noted frequent target-list updates distributed via Telegram and that **port 443** was the most targeted. Separately, Polish authorities (CBCZ) arrested and then bailed a **20-year-old** suspected of running a multi-layered botnet used to DDoS “numerous popular websites,” including sites described as strategically important, using “C2 stresser” and command-and-control nodes; police seized equipment and claimed to have dismantled infrastructure used to host/distribute DDoS tools, with additional arrests possible. An NSFOCUS monthly report on **December 2025 APT activity** (e.g., TransparentTribe, Sidewinder, Konni, Gamaredon) describes broader spear-phishing-led intrusion trends and is not tied to the NoName057(16) DDoSia activity or the Polish DDoS case.
Mar 21, 2026Coordinated DDoS activity targeting government infrastructure in Europe and Russia
A sustained DDoS campaign attributed to **NoName057(16)** used the **DDoSia** tool to generate **6,649** recorded attack entries between Feb. 23 and Mar. 1, targeting **126 domains** and **135 IPs** with a multi-country focus on **Denmark, Greenland, and Ukraine**. Reported targeting emphasized public-sector services (about **44%** of attacks), alongside Ukrainian defense industry, tourism/travel (notably tied to Greenland’s economy), and transportation infrastructure; most traffic was directed at `443/tcp` (HTTPS). The activity aligns with politically motivated disruption tied to Denmark’s support for Ukraine and heightened Arctic sovereignty tensions involving Greenland. Separately, Russia’s internet regulator **Roskomnadzor** and the **Russian Defense Ministry** reported a “complex multi-vector” DDoS that briefly disrupted multiple government websites and related infrastructure, including systems of the **Main Radio Frequency Center (GRFC)**. Russian authorities said the attack was contained, but user reports indicated intermittent access issues persisted for days; the responsible actor was not identified and no public claim of responsibility was noted at the time of reporting. A ransomware “state of the month” roundup covering February incidents is not directly related to these DDoS events and should be treated as separate reporting.
Mar 21, 2026