DDoS and Phishing Activity Targeting Germany, Israel, and Canadian Residents
Reporting described multiple, unrelated threat activities rather than a single cohesive incident. SOCRadar assessed a sustained DDoS campaign by NoName057(16) using the DDoSia toolset during March 2–8, 2026, logging 7,512 attack entries against 169 domains and 153 IPs, with Germany as the primary target (65.6% of entries) and Israel as a major secondary target (19.7%). The most notable pattern was heavy, systematic disruption of Germany’s public procurement ecosystem, including at least 17 procurement portals (974 entries), alongside Israeli targeting across defense industry, finance, telecom, and municipal services.
Separately, Flare reported an active phishing campaign using fraudulent domains impersonating Canadian institutions (including the Government of British Columbia and Hydro-Québec) to harvest personal and payment data; the infrastructure was linked to RouterHosting LLC / Cloudzy, a provider previously accused (in 2023) of supporting services used by multiple state-sponsored groups, including Iran-aligned actors. Two other items were not incident-specific: Hackmageddon published aggregated February 2026 attack statistics, and DataBreaches.Net summarized research on offender age distribution in cybercrime; both are higher-level analysis and do not materially add to the DDoS or phishing reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Infrastructure analysis links phishing domains to RouterHosting/Cloudzy
Flare's analysis connected multiple phishing domains through shared hosting IPs and SSL certificate data, repeatedly tying the infrastructure to RouterHosting LLC, rebranded as Cloudzy. A broader scan found more than 28,000 RouterHosting-hosted domains, including 134 .ca domains, many with suspicious Canada-themed naming patterns.
Active phishing campaign targets Canadians via fake government and utility domains
By March 2026, researchers observed an active phishing campaign using fraudulent domains impersonating institutions including the Government of British Columbia and Hydro-Québec to steal personal and payment-card information from Canadian residents. The phishing flow accepted obviously invalid personal data before requesting card details, indicating weak or absent validation.
DDoS activity peaks and German procurement portals are heavily targeted
On March 3, 2026, the campaign reached its peak volume, with Germany's public procurement ecosystem emerging as a major focus. At least 17 procurement portals were attacked for 974 entries, an unprecedented concentration by this actor against a single government function.
NoName057(16) launches coordinated DDoS campaign against Germany and Israel
During March 2–8, 2026, the pro-Russian hacktivist group NoName057(16) conducted a sustained DDoS campaign using DDoSia, generating 7,512 recorded attack entries. Germany was the main target and Israel a major secondary target, with the activity described as geopolitically motivated.
Prior public allegations tie Cloudzy to state-sponsored hacking groups
In 2023, public reporting by Halcyon and Reuters alleged that Cloudzy/RouterHosting had provided services to numerous state-sponsored hacking groups. The March 2026 phishing infrastructure assessment cites these earlier allegations as relevant context for the current campaign.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Coordinated DDoS activity targeting government infrastructure in Europe and Russia
A sustained DDoS campaign attributed to **NoName057(16)** used the **DDoSia** tool to generate **6,649** recorded attack entries between Feb. 23 and Mar. 1, targeting **126 domains** and **135 IPs** with a multi-country focus on **Denmark, Greenland, and Ukraine**. Reported targeting emphasized public-sector services (about **44%** of attacks), alongside Ukrainian defense industry, tourism/travel (notably tied to Greenland’s economy), and transportation infrastructure; most traffic was directed at `443/tcp` (HTTPS). The activity aligns with politically motivated disruption tied to Denmark’s support for Ukraine and heightened Arctic sovereignty tensions involving Greenland. Separately, Russia’s internet regulator **Roskomnadzor** and the **Russian Defense Ministry** reported a “complex multi-vector” DDoS that briefly disrupted multiple government websites and related infrastructure, including systems of the **Main Radio Frequency Center (GRFC)**. Russian authorities said the attack was contained, but user reports indicated intermittent access issues persisted for days; the responsible actor was not identified and no public claim of responsibility was noted at the time of reporting. A ransomware “state of the month” roundup covering February incidents is not directly related to these DDoS events and should be treated as separate reporting.
Mar 21, 2026
NoName057(16) DDoSia Campaign and Separate Polish Botnet Arrest
SOCRadar reported a coordinated, multi-country **DDoS campaign** attributed to pro-Russian actor **NoName057(16)** using the **DDoSia** tool, with **5,830** recorded attack entries against **160 domains** and **181 IPs** during the Jan 26–Feb 1, 2026 analysis window. The activity showed broad geographic targeting, led by the **UK (55%)**, followed by **Ukraine (12.7%)** and **Czechia (4.9%)**, and focused heavily on public-sector and critical-service targets; the report also noted frequent target-list updates distributed via Telegram and that **port 443** was the most targeted. Separately, Polish authorities (CBCZ) arrested and then bailed a **20-year-old** suspected of running a multi-layered botnet used to DDoS “numerous popular websites,” including sites described as strategically important, using “C2 stresser” and command-and-control nodes; police seized equipment and claimed to have dismantled infrastructure used to host/distribute DDoS tools, with additional arrests possible. An NSFOCUS monthly report on **December 2025 APT activity** (e.g., TransparentTribe, Sidewinder, Konni, Gamaredon) describes broader spear-phishing-led intrusion trends and is not tied to the NoName057(16) DDoSia activity or the Polish DDoS case.
Mar 21, 2026
Geopolitically driven cyber activity surges following Operation Epic Fury
Iran-linked threat actors escalated from espionage to **disruptive and destructive operations** in the wake of the US/Israel military campaign dubbed **Operation Epic Fury**, with reporting describing a coordinated hybrid offensive against Western, Israeli, and regional economic and critical infrastructure targets. Tenable assessed **MOIS-affiliated** groups as increasingly masking activity behind cybercriminal infrastructure to complicate attribution, and highlighted a notable rise in Iranian-nexus targeting of **internet-connected IP cameras** using known, exploitable vulnerabilities; the same reporting pointed to increased activity from **MuddyWater** and the **Void Manticore/Handala** persona, including indications of pre-positioned access ahead of the kinetic operations. Separate threat-intelligence reporting described **China-nexus** actors rapidly pivoting in the same geopolitical window, including activity against **Qatari entities** shortly after the initial strikes: **Camaro Dragon** attempted to deploy a **PlugX** variant using conflict-themed lures, and another intrusion attempt used **DLL hijacking** to deliver **Cobalt Strike**, consistent with China-aligned tradecraft. Other items in the set cover unrelated campaigns and incidents—an exposed **APT28** Roundcube exploitation toolkit targeting Ukrainian government mail infrastructure, a pro-Russian **NoName057(16)** DDoS campaign heavily targeting German and Israeli public-sector and commercial services, a Russian-speaking **BlackSanta** BYOVD “EDR killer” delivered via HR-themed lures and steganographic images, and a weekly bulletin summarizing multiple breaches (e.g., AkzoNobel, LexisNexis, Wikimedia, TriZetto)—and do not materially add to the Operation Epic Fury–linked escalation narrative.
Mar 31, 2026