Threat Research

NoName057(16)’s DDoSia project: 2024 updates and behavioural shifts

SekoiaIO

Sekoia.io analysis describes updates to NoName057(16)’s Project DDoSia tooling: multi-architecture binaries (Windows, Linux, macOS, FreeBSD, ARM, x86) and a new encrypted POST-based C2 protocol that reports per-host metadata and a GUID derived from the Windows MachineGuid. The report also documents frequent C2 IPv4 rotations across many countries, ongoing DDoS campaigns, and distribution/coordination via Telegram/telegra.ph. #NoName05716 #DDoSia #Go-Stresser #Sekoia

Keypoints

  • NoName057(16) published updated DDoSia binaries on 2023-11-11 adding 32-bit and FreeBSD support and shipping multiple executables per OS/architecture.
  • The DDoSia client performs an encrypted HTTP POST to [ip]:[port]/client/login containing a GUID (client) and detailed host metadata for user identification and tracking.
  • The GUID (C) is derived from the Windows registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid, and the U value maps to client_id.txt from the Telegram bot registration.
  • Administrators instruct Russian-based users that using a VPN is optional, while users outside Russia are told to use a VPN; distribution and instructions are published on Telegram and telegra.ph.
  • C2 infrastructure has been rotated frequently in 2024 (dozens of changes in weeks) across Europe, Asia, Africa and the Americas to mitigate takedowns and restore service quickly.
  • Victimology: majority government-related targets, with notable focus on Ukraine, Finland, Italy and transport/banking sectors; DDoSia also appears to operate its own attack nodes in addition to user clients.
  • Sekoia tracked many active C2 IPv4 addresses and provides IoCs and a CSV repository for analysts to consume.

MITRE Techniques

  • [T1499] Endpoint Denial of Service – Used to carry out volumetric/availability attacks via the DDoSia client; the tooling reports “loaded 285 targets…” indicating mass-target attack operations. (‘loaded 285 targets…’)
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communication uses HTTP POST to [ip]:[port]/client/login to send encrypted payloads. (‘POST /client/login HTTP/1.1’)
  • [T1082] System Information Discovery – The client collects detailed host metadata (user name, OS, kernel version, architecture, CPU cores, registration time, timezone) and sends it to C2. (‘”SystemUserName”:”User”,”OS”:”windows”,”KernelVersion”:”10.0.22621.2428 Build 22621.2428″,”CPUCores”:1’)
  • [T1012] Query Registry – The GUID used to uniquely identify the machine is extracted from the Windows registry MachineGuid key. (‘HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid’)
  • [T1102] Web Service – Operators distribute binaries, instructions and coordinate via Telegram channels and telegra.ph pages and a Telegram bot for registration. (‘t.me/DDosiabot’, ‘hxxps://telegra[.]ph/Instrukciya-dlya-uchastnikov-proekta-DDoSia-Project-12-04’)
  • [T1588] Obtain Capabilities – Project administrators publish precompiled DDoS binaries across multiple OS/architectures (Windows x86/x64/ARM64, Linux, FreeBSD, macOS) for user deployment. (‘d_win_x64.exe’, ‘d_lin_x64’, ‘d_freebsd_x32’, ‘d_mac_arm64’)

Indicators of Compromise

  • [IPv4] Observed C2 addresses used for control and target distribution – 38.180.95[.]29 (Hong Kong), 77.75.230[.]221 (Czech Republic; reused from 2023), and many others listed (multiple dozen IPv4s).
  • [Filenames / Binaries] DDoSia executables distributed in ZIP – d_win_x64.exe, d_lin_x64, d_freebsd_x32, d_mac_arm64 (multi-architecture and multi-OS payloads).
  • [Domains / URLs] Distribution and instructions pages – hxxps://telegra[.]ph/Instrukciya-dlya-uchastnikov-proekta-DDoSia-Project-12-04; Telegram bot t[.]me/DDosiabot for client registration and client_id.txt retrieval.
  • [Registry Key] Machine identifier source – HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid used to derive the client GUID for C2 identification.
  • [Hosting/ASN] Notable ASNs and hosts tied to C2 infrastructure – AS9009 (M247) e.g., 38.180.95[.]29; AS44477 (STARK-INDUSTRIES) e.g., 5.252.23[.]100; and other AS entries in the provided table.

The updated DDoSia release (shared 2023-11-11) packages multiple executables targeting Windows (x86, x64, ARM64), Linux (x86, x64, ARM), macOS (x64, arm64) and FreeBSD (x86/ARM). Executables are grouped into regional folders (d_eu, d_ru) and present an initial login sequence that fetches a target list; the client then issues an HTTP POST to [ip]:[port]/client/login containing an encrypted JSON payload. The POST carries a GUID (“client”) and a U value linked to client_id.txt from the Telegram bot; the GUID on Windows is derived from HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid, enabling persistent, unique host identification.

Before attack execution the client collects and transmits host telemetry (SystemUserName, OS, KernelVersion, KernelArch, PlatformFamily, CPUCores, RegisterTime, TimeZone) which operators likely use for fleet management and statistical tracking. The latest tooling encrypts the JSON content sent to C2 (previous versions did not), increasing operational opsec. Distribution, instructions, and registration are handled via Telegram channels, a Telegram bot (t.me/DDosiabot) and a telegra.ph instruction page; operators advise VPN use for non-Russian hosts and optional VPN usage for Russian hosts.

Operational infrastructure shows fast, frequent C2 IPv4 rotations across numerous countries and ASNs (dozens of activations within weeks). Analysts should monitor the provided IPv4 list and ASNs, block or sinkhole observed C2 addresses where possible, and treat the multi-architecture binaries as indicators when hunting. Investigations should look for the client GUID pattern (matching MachineGuid-derived values), registration artifacts (client_id.txt), and outgoing POSTs to /client/login with encrypted JSON to detect infected/participating hosts.

Read more: https://blog.sekoia.io/noname05716-ddosia-project-2024-updates-and-behavioural-shifts/