NoName057(16) DDoSia Campaigns Targeting Belgium and NATO Entities
Pro-Russian hacktivist group NoName057(16) conducted a large-scale distributed denial-of-service (DDoS) campaign between December 8 and 14, 2025, primarily targeting organizations in Belgium and Ukraine. The campaign, orchestrated using the group's proprietary DDoSia tool, resulted in over 4,400 recorded attacks against 155 unique domains and 144 IP addresses, affecting both private sector infrastructure—such as telecommunications, utilities, and industrial organizations—and high-value government and defense-related services. The attacks also impacted European Union institutions and international organizations, highlighting the group's broad targeting scope and operational reach.
NoName057(16) is a pro-Russian hacktivist collective with origins linked to the Kremlin-backed Centre for the Study and Network Monitoring of the Youth Environment (CISM). The group leverages Telegram for coordination and GitHub for tool distribution, and has expanded its influence through collaborations with other pro-Russian groups, including the Cyber Army of Russia Reborn (CARR). Their operations have increasingly focused on NATO member states and adversaries of Russian geopolitical interests, with the DDoSia tool serving as a central component in mobilizing and executing attacks against critical infrastructure and government entities across Europe.
Sources
Related Stories
Pro-Russian Hacktivist DDoS Attacks Target Belgian Telecom Sector
Pro-Russian hacktivist group NoName057(16) claimed responsibility for distributed denial-of-service (DDoS) attacks that briefly disrupted the websites of Belgian telecom operators Proximus and Scarlet. The attacks, which occurred on a Wednesday morning, were detected and mitigated quickly by Proximus technicians, resulting in minimal impact. NoName057(16) also claimed to have targeted an internal Telenet portal, but Telenet denied any disruption or compromise. Ghent University Hospital was also affected by a DDoS attack around the same time, though there is no confirmation of a direct link to the telecom incidents. The attacks are part of a broader campaign announced by a coalition of eight hacktivist groups with pro-Russian and pro-Palestinian affiliations, which have threatened to target Belgium’s internet infrastructure with DDoS operations and potential data exposure. While the coalition itself has not issued operational claims or demonstrated verifiable activity, NoName057(16) continues to act independently, maintaining a pattern of targeting Belgian entities. The campaign is expected to persist, with further DDoS attempts and possible claims of data exposure anticipated in the near future.
4 months ago
NoName057(16) DDoSia Campaign and Separate Polish Botnet Arrest
SOCRadar reported a coordinated, multi-country **DDoS campaign** attributed to pro-Russian actor **NoName057(16)** using the **DDoSia** tool, with **5,830** recorded attack entries against **160 domains** and **181 IPs** during the Jan 26–Feb 1, 2026 analysis window. The activity showed broad geographic targeting, led by the **UK (55%)**, followed by **Ukraine (12.7%)** and **Czechia (4.9%)**, and focused heavily on public-sector and critical-service targets; the report also noted frequent target-list updates distributed via Telegram and that **port 443** was the most targeted. Separately, Polish authorities (CBCZ) arrested and then bailed a **20-year-old** suspected of running a multi-layered botnet used to DDoS “numerous popular websites,” including sites described as strategically important, using “C2 stresser” and command-and-control nodes; police seized equipment and claimed to have dismantled infrastructure used to host/distribute DDoS tools, with additional arrests possible. An NSFOCUS monthly report on **December 2025 APT activity** (e.g., TransparentTribe, Sidewinder, Konni, Gamaredon) describes broader spear-phishing-led intrusion trends and is not tied to the NoName057(16) DDoSia activity or the Polish DDoS case.
1 months agoCoordinated DDoS activity targeting government infrastructure in Europe and Russia
A sustained DDoS campaign attributed to **NoName057(16)** used the **DDoSia** tool to generate **6,649** recorded attack entries between Feb. 23 and Mar. 1, targeting **126 domains** and **135 IPs** with a multi-country focus on **Denmark, Greenland, and Ukraine**. Reported targeting emphasized public-sector services (about **44%** of attacks), alongside Ukrainian defense industry, tourism/travel (notably tied to Greenland’s economy), and transportation infrastructure; most traffic was directed at `443/tcp` (HTTPS). The activity aligns with politically motivated disruption tied to Denmark’s support for Ukraine and heightened Arctic sovereignty tensions involving Greenland. Separately, Russia’s internet regulator **Roskomnadzor** and the **Russian Defense Ministry** reported a “complex multi-vector” DDoS that briefly disrupted multiple government websites and related infrastructure, including systems of the **Main Radio Frequency Center (GRFC)**. Russian authorities said the attack was contained, but user reports indicated intermittent access issues persisted for days; the responsible actor was not identified and no public claim of responsibility was noted at the time of reporting. A ransomware “state of the month” roundup covering February incidents is not directly related to these DDoS events and should be treated as separate reporting.
1 weeks ago