NoName057(16) DDoSia Campaign and Separate Polish Botnet Arrest
SOCRadar reported a coordinated, multi-country DDoS campaign attributed to pro-Russian actor NoName057(16) using the DDoSia tool, with 5,830 recorded attack entries against 160 domains and 181 IPs during the Jan 26–Feb 1, 2026 analysis window. The activity showed broad geographic targeting, led by the UK (55%), followed by Ukraine (12.7%) and Czechia (4.9%), and focused heavily on public-sector and critical-service targets; the report also noted frequent target-list updates distributed via Telegram and that port 443 was the most targeted.
Separately, Polish authorities (CBCZ) arrested and then bailed a 20-year-old suspected of running a multi-layered botnet used to DDoS “numerous popular websites,” including sites described as strategically important, using “C2 stresser” and command-and-control nodes; police seized equipment and claimed to have dismantled infrastructure used to host/distribute DDoS tools, with additional arrests possible. An NSFOCUS monthly report on December 2025 APT activity (e.g., TransparentTribe, Sidewinder, Konni, Gamaredon) describes broader spear-phishing-led intrusion trends and is not tied to the NoName057(16) DDoSia activity or the Polish DDoS case.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Suspect is charged, admits most allegations, and is released on bail
After questioning, Polish authorities brought six charges related to disrupting IT systems and obtaining software used for attacks, carrying a maximum penalty of five years in prison. The suspect reportedly admitted most of the allegations, gave a statement, and was released on bail under non-custodial police supervision pending sentencing.
Polish police arrest suspected botnet-based DDoS operator
Poland's Central Bureau for Combating Cybercrime arrested a 20-year-old man suspected of launching DDoS attacks against numerous websites, including strategically important sites, using a multi-layered botnet. Officers searched his apartment, seized computer equipment, and said they dismantled infrastructure used to host and distribute DDoS tools.
NoName057(16) runs multi-country DDoS campaign
Between 2026-01-26 and 2026-02-01, the pro-Russian hacktivist group NoName057(16) conducted a coordinated DDoS campaign using DDoSia against targets in multiple countries. SOCRadar recorded 5,830 attack entries affecting 160 domains and 181 IP addresses, with the UK as the primary target and additional attacks on Ukraine, Czechia, and commercial or critical-infrastructure organizations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Coordinated DDoS activity targeting government infrastructure in Europe and Russia
A sustained DDoS campaign attributed to **NoName057(16)** used the **DDoSia** tool to generate **6,649** recorded attack entries between Feb. 23 and Mar. 1, targeting **126 domains** and **135 IPs** with a multi-country focus on **Denmark, Greenland, and Ukraine**. Reported targeting emphasized public-sector services (about **44%** of attacks), alongside Ukrainian defense industry, tourism/travel (notably tied to Greenland’s economy), and transportation infrastructure; most traffic was directed at `443/tcp` (HTTPS). The activity aligns with politically motivated disruption tied to Denmark’s support for Ukraine and heightened Arctic sovereignty tensions involving Greenland. Separately, Russia’s internet regulator **Roskomnadzor** and the **Russian Defense Ministry** reported a “complex multi-vector” DDoS that briefly disrupted multiple government websites and related infrastructure, including systems of the **Main Radio Frequency Center (GRFC)**. Russian authorities said the attack was contained, but user reports indicated intermittent access issues persisted for days; the responsible actor was not identified and no public claim of responsibility was noted at the time of reporting. A ransomware “state of the month” roundup covering February incidents is not directly related to these DDoS events and should be treated as separate reporting.
Mar 21, 2026
NoName057(16) DDoSia Campaigns Targeting Belgium and NATO Entities
Pro-Russian hacktivist group NoName057(16) conducted a large-scale distributed denial-of-service (DDoS) campaign between December 8 and 14, 2025, primarily targeting organizations in Belgium and Ukraine. The campaign, orchestrated using the group's proprietary DDoSia tool, resulted in over 4,400 recorded attacks against 155 unique domains and 144 IP addresses, affecting both private sector infrastructure—such as telecommunications, utilities, and industrial organizations—and high-value government and defense-related services. The attacks also impacted European Union institutions and international organizations, highlighting the group's broad targeting scope and operational reach. NoName057(16) is a pro-Russian hacktivist collective with origins linked to the Kremlin-backed Centre for the Study and Network Monitoring of the Youth Environment (CISM). The group leverages Telegram for coordination and GitHub for tool distribution, and has expanded its influence through collaborations with other pro-Russian groups, including the Cyber Army of Russia Reborn (CARR). Their operations have increasingly focused on NATO member states and adversaries of Russian geopolitical interests, with the DDoSia tool serving as a central component in mobilizing and executing attacks against critical infrastructure and government entities across Europe.
Mar 21, 2026
DDoS and Phishing Activity Targeting Germany, Israel, and Canadian Residents
Reporting described multiple, unrelated threat activities rather than a single cohesive incident. SOCRadar assessed a sustained DDoS campaign by **NoName057(16)** using the **DDoSia** toolset during March 2–8, 2026, logging **7,512** attack entries against **169 domains** and **153 IPs**, with **Germany** as the primary target (65.6% of entries) and **Israel** as a major secondary target (19.7%). The most notable pattern was heavy, systematic disruption of Germany’s public procurement ecosystem, including at least **17 procurement portals** (974 entries), alongside Israeli targeting across defense industry, finance, telecom, and municipal services. Separately, Flare reported an active **phishing campaign** using fraudulent domains impersonating Canadian institutions (including the Government of British Columbia and *Hydro-Québec*) to harvest personal and payment data; the infrastructure was linked to **RouterHosting LLC / Cloudzy**, a provider previously accused (in 2023) of supporting services used by multiple state-sponsored groups, including Iran-aligned actors. Two other items were not incident-specific: Hackmageddon published aggregated February 2026 attack statistics, and DataBreaches.Net summarized research on offender age distribution in cybercrime; both are higher-level analysis and do not materially add to the DDoS or phishing reporting.
Mar 21, 2026