Threat Research

Following NoName057(16) DDoSia Project’s Targets

Securonix

Researchers describe the DDoSia project, a DDoS toolkit used by the NoName057(16) hacktivist group against countries critical of Russia, detailing how targets are chosen, decrypted, and attacked. The analysis covers Telegram-based distribution, an AES-GCM encryption mechanism for target data, and notable campaigns against Ukraine, France, and other NATO-aligned entities. #NoName057(16) #DDoSia #GoStresser #WagnerGroup #RATP #KyivCityGovUa

Keypoints

  • The DDoSia toolkit is developed and used by the NoName057(16) group to target countries critical of Russia.
  • It started on Telegram in early 2022, with large subscriber bases and cryptocurrency donations via TON wallets.
  • Administrators frequently claim successful attacks against European, Ukrainian, and U.S. government entities, media, and private companies.
  • The project evolved from Python with CPU-based DDoS for HTTP, adding a new version that conceals the target list via encryption.
  • User access is via Telegram channels and a bot; registration requires a TON wallet and delivers client_id.txt and help.txt files.
  • Targets are delivered through an encrypted C2 channel (AES-GCM), with the decryption revealing the list of targets including hosts, IPs, and HTTP parameters.
  • Analysts identified a focus on Ukraine and NATO countries, with notable campaigns against AXA, BPCE, RATP, and even Wagner-group-related domains on a specific day.

MITRE Techniques

  • [T1071.001] Web Protocols – The malware communicates with the C2 over HTTP using POST and GET requests to authenticate and retrieve targets. Quote: ‘When the malware is launched, it makes a POST request to the URL hxxp://[IP]/client/login to authenticate with the C2.’
  • [T1027] Obfuscated/Compressed Files and Information – Data is AES-GCM encrypted before transmission, with dynamic analysis revealing the decryption process. Quote: ‘data are AES-GCM encrypted’ and ‘the data field… contains an encrypted text.’
  • [T1041] Exfiltration Over C2 Channel – The C2 returns a JSON payload containing token and data, and then provides a list of targets to the client. Quote: ‘The C2 returns a dictionary in JSON format. On one hand the previous but modified token, and on the other hand a data field in which there is an encrypted text. This field contains the list of targets.’

Indicators of Compromise

  • [Hash] DDoSia malware – 761075da6b30bb2bcbb5727420e86895b79f7f6f5cebdf90ec6ca85feb78e926, fae9b6df2987b25d52a95d3e2572ea578f3599be88920c64fd2de09d1703890a
  • [File name] DDoSia malware – d_linux_amd64, d_linux_arm
  • [File name] DDoSia malware – d_mac_amd64, d_mac_arm64
  • [IP address] DDoSia C2 – 94.140.114.239, 104.18.20.41
  • [Domain] Target domains – id.kyivcity.gov.ua, e-journal.iea.gov.ua

Read more: https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint