Investigating the Infrastructure Behind DDoSia's Attacks
DDoSia, a participatory DDoS tool created by Russian hacktivists in 2022, is operated by the pro-Russian group NoName057(16). It relies on volunteers to contribute network resources for attacks, primarily targeting Ukraine, European allies, and NATO states. Censys has monitored DDoSia since mid-2025, observing an average of 6 control servers with short lifespans. The tool uses a multi-layered control infrastructure, with systems typically hosted on VPS providers. Despite law enforcement disruption in July 2025, DDoSia quickly reconstituted and resumed operations. The infrastructure is characterized by rapid changes, with most servers active for less than 24 hours. Attacks focus on government, military, transportation, public utilities, financial, and tourism sectors.
AI Analysis
Technical Summary
DDoSia is a distributed denial-of-service (DDoS) tool created by Russian hacktivists and operated by the pro-Russian group NoName057(16) since 2022. It functions as a participatory platform where volunteers contribute their network resources to amplify attack traffic. The infrastructure behind DDoSia is characterized by a multi-layered control system, typically hosted on virtual private servers (VPS) with very short lifespans, often less than 24 hours, to evade detection and takedown efforts. Censys monitoring since mid-2025 has observed an average of six control servers active at any time, which rapidly change to maintain operational continuity. The tool targets Ukraine, European allies, and NATO states, focusing on critical sectors such as government, military, transportation, public utilities, financial institutions, and tourism. Despite law enforcement disruption in July 2025, the infrastructure quickly reconstituted, demonstrating resilience and adaptability. The attack methodology involves leveraging volunteer resources rather than exploiting software vulnerabilities, relying on the collective bandwidth and computing power of participants. The threat is persistent and strategically aimed at destabilizing key infrastructure and allied nations, with a medium severity rating reflecting its disruptive potential balanced against the need for volunteer participation and lack of direct exploitation of vulnerabilities.
Potential Impact
For European organizations, the DDoSia threat poses significant risks primarily through service disruption. Targeted sectors such as government, military, transportation, public utilities, financial services, and tourism are critical to national security and economic stability. Successful DDoS attacks can degrade or deny access to essential services, causing operational downtime, financial losses, reputational damage, and potential cascading effects on public safety and national defense. The rapid infrastructure turnover and resilience of DDoSia complicate mitigation and response efforts, increasing the likelihood of sustained or repeated attacks. European allies and NATO members face heightened risk due to the geopolitical motivations behind the attacks. The threat could also strain incident response resources and necessitate increased investment in DDoS mitigation technologies and cross-border cooperation. While the attacks do not directly compromise data confidentiality or integrity, the availability impact alone can have severe consequences for critical infrastructure and government operations.
Mitigation Recommendations
European organizations should implement advanced DDoS mitigation strategies tailored to the evolving tactics of DDoSia. This includes deploying scalable, cloud-based scrubbing services capable of absorbing large volumetric attacks and filtering malicious traffic in real time. Network segmentation and redundancy can limit the impact on critical systems. Organizations should establish robust traffic monitoring and anomaly detection to identify early signs of DDoS activity, leveraging threat intelligence feeds that include indicators related to DDoSia infrastructure. Collaboration with national CERTs, ISPs, and international partners is essential for rapid information sharing and coordinated response. Given the short lifespan of control servers, continuous monitoring of VPS providers commonly abused by DDoSia can aid in proactive takedown requests. Incident response plans must be updated to address prolonged or repeated DDoS campaigns, including communication strategies for stakeholders and customers. Finally, organizations should conduct regular resilience testing and staff training to ensure preparedness against multi-vector DDoS attacks.
Affected Countries
Ukraine, Poland, Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden
Indicators of Compromise
- hash: 62ade05e4d0f72b4aeffa5c774b856e5
- ip: 103.136.69.227
- ip: 103.231.75.120
- ip: 103.80.86.26
- ip: 103.80.86.66
- ip: 104.194.143.96
- ip: 104.194.145.88
- ip: 104.194.149.73
- ip: 104.194.149.9
- ip: 104.194.150.61
- ip: 109.120.150.76
- ip: 109.120.176.4
- ip: 141.98.233.53
- ip: 145.223.68.34
- ip: 145.249.109.202
- ip: 147.45.124.28
- ip: 147.45.125.58
- ip: 147.45.60.149
- ip: 154.18.239.180
- ip: 156.227.6.32
- ip: 168.100.11.21
- ip: 176.98.40.6
- ip: 178.22.31.6
- ip: 178.248.75.62
- ip: 181.214.58.65
- ip: 181.214.58.92
- ip: 185.121.15.235
- ip: 185.143.238.166
- ip: 185.161.251.123
- ip: 185.178.231.30
- ip: 185.196.11.216
- ip: 185.196.8.140
- ip: 185.196.9.151
- ip: 185.208.158.23
- ip: 185.208.158.30
- ip: 185.212.47.40
- ip: 185.219.7.231
- ip: 185.219.7.53
- ip: 185.225.17.32
- ip: 185.232.205.16
- ip: 185.232.205.198
- ip: 185.232.205.52
- ip: 185.234.66.126
- ip: 185.234.66.239
- ip: 185.250.180.171
- ip: 185.39.204.86
- ip: 185.39.207.45
- ip: 188.116.20.254
- ip: 193.124.44.66
- ip: 193.149.189.208
- ip: 193.17.183.123
- ip: 193.17.183.18
- ip: 193.233.193.65
- ip: 193.233.193.90
- ip: 193.56.135.252
- ip: 193.56.135.81
- ip: 194.180.158.26
- ip: 194.180.158.48
- ip: 194.87.186.215
- ip: 194.87.79.223
- ip: 194.87.97.75
- ip: 195.133.88.10
- ip: 195.133.88.48
- ip: 195.133.88.59
- ip: 195.133.88.72
- ip: 195.133.88.73
- ip: 209.200.246.58
- ip: 213.165.63.179
- ip: 213.218.212.59
- ip: 216.185.57.42
- ip: 23.177.184.108
- ip: 23.177.185.118
- ip: 31.13.195.87
- ip: 31.15.16.216
- ip: 31.192.236.13
- ip: 31.56.117.251
- ip: 31.57.29.202
- ip: 38.180.116.107
- ip: 45.128.232.253
- ip: 45.143.200.29
- ip: 45.82.13.121
- ip: 45.84.0.235
- ip: 45.85.93.177
- ip: 45.85.93.246
- ip: 45.89.55.4
- ip: 46.29.238.184
- ip: 46.29.238.44
- ip: 46.8.228.233
- ip: 5.181.156.90
- ip: 5.182.86.132
- ip: 5.252.178.167
- ip: 5.252.178.168
- ip: 5.252.23.100
- ip: 5.44.42.29
- ip: 62.133.62.99
- ip: 62.60.159.248
- ip: 62.60.234.87
- ip: 64.190.113.62
- ip: 65.38.121.22
- ip: 77.239.101.153
- ip: 77.75.230.221
- ip: 77.91.74.55
- ip: 78.153.130.43
- ip: 79.132.135.171
- ip: 80.77.25.194
- ip: 80.85.241.183
- ip: 81.19.140.125
- ip: 81.19.141.191
- ip: 83.217.9.109
- ip: 83.217.9.48
- ip: 85.192.26.92
- ip: 85.192.27.166
- ip: 86.54.42.84
- ip: 87.121.52.9
- ip: 88.218.248.182
- ip: 89.185.84.159
- ip: 91.239.148.151
- ip: 91.239.148.54
- ip: 91.92.43.242
- ip: 94.131.96.82
- ip: 94.140.112.17
- ip: 94.140.114.239
- ip: 94.140.115.89
- ip: 94.183.187.222
- ip: 94.183.189.68
- ip: 94.232.249.17
- ip: 95.163.152.28
- hash: 0d5cac778ec1f9a1471e0d78742d3fe9
- hash: 350080807089685338364348e6419122
- hash: 6729b380cef552f90c299e6dcfc3d6ef
- hash: 6eef15654dd0310a0e3b440530ec0a9e
- hash: 7c1eccb1ad0747158a09b251531d87b6
- hash: 7e303ba87dc7d1bfe876b6db09a55a09
- hash: 853ead0d757435ca8dcdbb37ffa781c6
- hash: 879719a084c1923e0ca5865c4a4a66dc
- hash: b0b210e7c42a5423f51facac60afddfb
- hash: da37f312f7fb7741d97bc438750c1655
- hash: de52d4bc42671d05939e2329298a0816
- hash: dfa27851a5903e092126332ded4c492e
- hash: 01831949cf14e42cc59e8ca6a13f5a1c3b3e7e69
- hash: 1a43a3ccda067f2954eb498abe99c81fa12aeae0
- hash: 1e6daf4f648144db1d24ea431e7d876569c5746a
- hash: 311be0904207d069ac5cf139e067a46b39184608
- hash: 4a4df3dde0bec5bd72442b632657111e872aaec1
- hash: 9d2bdf46248c961fd6e75a2266b4a17d1488e372
- hash: a186d9c620041a0885c44dcd7f5c72b85030ddb1
- hash: dbea83d4c361060ba533b59a2f5747ad52b8413a
- hash: de1b3c9b5131c313f95a1a9acb4afdd17f589b6b
- hash: e247508b0f1bffd7219f1017595dcff1470bd4bd
- hash: f8416af4af1ba799a47948045f394e853f5d451c
- hash: f88b78b862768b4745bed470d2c47ad826ca2834
- hash: 0e19deac3d64a33495d237ed4cdb3581813b88b6ed2afe84b8c2908201feaf91
- hash: 0eae66824c65efe6b69937bf8427b7f28df591f2788b8088fbe9a05e8c26e077
- hash: 2aaf3c08da86d5d0f6f9c00d4011991fd2cd50fa0777d51d5552b98365b15774
- hash: 307e3ea1cb140f375443ef3c9b62028dd5c6449c1bf242b83d6db5d730bd2121
- hash: 48e9d5b0f8a2d56d31b4e845597789a81e3733c03751139a22f55ceebd15b75a
- hash: 532edcad0f1637b4cb6fe2638c84c9cee2a52786b89f8d155c910bf60f43da9c
- hash: 7ee3574b0693e78060d863a5794437960aec0614af6c1909dd075daec0bcaf92
- hash: 87cd40fbf9f363c212a8402cc8350f624fd6760799c013a0cdd301707a5bd083
- hash: 8ba11c9e3d3f38a2473620579f61119be9ada9bc0e4dc37fc045017f56248473
- hash: 95375dac86bf8daf101cb8120d78f0340e6b1cdbea16b859d96d7aef946be983
- hash: b81734717f36d3cea59e5690b984333c5a6908a15883a0463d77cb20dadcec0c
- hash: e3f229dc71ce65c1f2de05e2cfbd7ae848d330661d9b9b3fa00d594bf84f4d93
Investigating the Infrastructure Behind DDoSia's Attacks
Description
DDoSia, a participatory DDoS tool created by Russian hacktivists in 2022, is operated by the pro-Russian group NoName057(16). It relies on volunteers to contribute network resources for attacks, primarily targeting Ukraine, European allies, and NATO states. Censys has monitored DDoSia since mid-2025, observing an average of 6 control servers with short lifespans. The tool uses a multi-layered control infrastructure, with systems typically hosted on VPS providers. Despite law enforcement disruption in July 2025, DDoSia quickly reconstituted and resumed operations. The infrastructure is characterized by rapid changes, with most servers active for less than 24 hours. Attacks focus on government, military, transportation, public utilities, financial, and tourism sectors.
AI-Powered Analysis
Technical Analysis
DDoSia is a distributed denial-of-service (DDoS) tool created by Russian hacktivists and operated by the pro-Russian group NoName057(16) since 2022. It functions as a participatory platform where volunteers contribute their network resources to amplify attack traffic. The infrastructure behind DDoSia is characterized by a multi-layered control system, typically hosted on virtual private servers (VPS) with very short lifespans, often less than 24 hours, to evade detection and takedown efforts. Censys monitoring since mid-2025 has observed an average of six control servers active at any time, which rapidly change to maintain operational continuity. The tool targets Ukraine, European allies, and NATO states, focusing on critical sectors such as government, military, transportation, public utilities, financial institutions, and tourism. Despite law enforcement disruption in July 2025, the infrastructure quickly reconstituted, demonstrating resilience and adaptability. The attack methodology involves leveraging volunteer resources rather than exploiting software vulnerabilities, relying on the collective bandwidth and computing power of participants. The threat is persistent and strategically aimed at destabilizing key infrastructure and allied nations, with a medium severity rating reflecting its disruptive potential balanced against the need for volunteer participation and lack of direct exploitation of vulnerabilities.
Potential Impact
For European organizations, the DDoSia threat poses significant risks primarily through service disruption. Targeted sectors such as government, military, transportation, public utilities, financial services, and tourism are critical to national security and economic stability. Successful DDoS attacks can degrade or deny access to essential services, causing operational downtime, financial losses, reputational damage, and potential cascading effects on public safety and national defense. The rapid infrastructure turnover and resilience of DDoSia complicate mitigation and response efforts, increasing the likelihood of sustained or repeated attacks. European allies and NATO members face heightened risk due to the geopolitical motivations behind the attacks. The threat could also strain incident response resources and necessitate increased investment in DDoS mitigation technologies and cross-border cooperation. While the attacks do not directly compromise data confidentiality or integrity, the availability impact alone can have severe consequences for critical infrastructure and government operations.
Mitigation Recommendations
European organizations should implement advanced DDoS mitigation strategies tailored to the evolving tactics of DDoSia. This includes deploying scalable, cloud-based scrubbing services capable of absorbing large volumetric attacks and filtering malicious traffic in real time. Network segmentation and redundancy can limit the impact on critical systems. Organizations should establish robust traffic monitoring and anomaly detection to identify early signs of DDoS activity, leveraging threat intelligence feeds that include indicators related to DDoSia infrastructure. Collaboration with national CERTs, ISPs, and international partners is essential for rapid information sharing and coordinated response. Given the short lifespan of control servers, continuous monitoring of VPS providers commonly abused by DDoSia can aid in proactive takedown requests. Incident response plans must be updated to address prolonged or repeated DDoS campaigns, including communication strategies for stakeholders and customers. Finally, organizations should conduct regular resilience testing and staff training to ensure preparedness against multi-vector DDoS attacks.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://censys.com/blog/ddosia-infrastructure"]
- Adversary
- NoName057(16)
- Pulse Id
- 69412b5c6fb2a99780607ae9
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash62ade05e4d0f72b4aeffa5c774b856e5 | — | |
hash0d5cac778ec1f9a1471e0d78742d3fe9 | — | |
hash350080807089685338364348e6419122 | — | |
hash6729b380cef552f90c299e6dcfc3d6ef | — | |
hash6eef15654dd0310a0e3b440530ec0a9e | — | |
hash7c1eccb1ad0747158a09b251531d87b6 | — | |
hash7e303ba87dc7d1bfe876b6db09a55a09 | — | |
hash853ead0d757435ca8dcdbb37ffa781c6 | — | |
hash879719a084c1923e0ca5865c4a4a66dc | — | |
hashb0b210e7c42a5423f51facac60afddfb | — | |
hashda37f312f7fb7741d97bc438750c1655 | — | |
hashde52d4bc42671d05939e2329298a0816 | — | |
hashdfa27851a5903e092126332ded4c492e | — | |
hash01831949cf14e42cc59e8ca6a13f5a1c3b3e7e69 | — | |
hash1a43a3ccda067f2954eb498abe99c81fa12aeae0 | — | |
hash1e6daf4f648144db1d24ea431e7d876569c5746a | — | |
hash311be0904207d069ac5cf139e067a46b39184608 | — | |
hash4a4df3dde0bec5bd72442b632657111e872aaec1 | — | |
hash9d2bdf46248c961fd6e75a2266b4a17d1488e372 | — | |
hasha186d9c620041a0885c44dcd7f5c72b85030ddb1 | — | |
hashdbea83d4c361060ba533b59a2f5747ad52b8413a | — | |
hashde1b3c9b5131c313f95a1a9acb4afdd17f589b6b | — | |
hashe247508b0f1bffd7219f1017595dcff1470bd4bd | — | |
hashf8416af4af1ba799a47948045f394e853f5d451c | — | |
hashf88b78b862768b4745bed470d2c47ad826ca2834 | — | |
hash0e19deac3d64a33495d237ed4cdb3581813b88b6ed2afe84b8c2908201feaf91 | — | |
hash0eae66824c65efe6b69937bf8427b7f28df591f2788b8088fbe9a05e8c26e077 | — | |
hash2aaf3c08da86d5d0f6f9c00d4011991fd2cd50fa0777d51d5552b98365b15774 | — | |
hash307e3ea1cb140f375443ef3c9b62028dd5c6449c1bf242b83d6db5d730bd2121 | — | |
hash48e9d5b0f8a2d56d31b4e845597789a81e3733c03751139a22f55ceebd15b75a | — | |
hash532edcad0f1637b4cb6fe2638c84c9cee2a52786b89f8d155c910bf60f43da9c | — | |
hash7ee3574b0693e78060d863a5794437960aec0614af6c1909dd075daec0bcaf92 | — | |
hash87cd40fbf9f363c212a8402cc8350f624fd6760799c013a0cdd301707a5bd083 | — | |
hash8ba11c9e3d3f38a2473620579f61119be9ada9bc0e4dc37fc045017f56248473 | — | |
hash95375dac86bf8daf101cb8120d78f0340e6b1cdbea16b859d96d7aef946be983 | — | |
hashb81734717f36d3cea59e5690b984333c5a6908a15883a0463d77cb20dadcec0c | — | |
hashe3f229dc71ce65c1f2de05e2cfbd7ae848d330661d9b9b3fa00d594bf84f4d93 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip103.136.69.227 | — | |
ip103.231.75.120 | — | |
ip103.80.86.26 | — | |
ip103.80.86.66 | — | |
ip104.194.143.96 | — | |
ip104.194.145.88 | — | |
ip104.194.149.73 | — | |
ip104.194.149.9 | — | |
ip104.194.150.61 | — | |
ip109.120.150.76 | — | |
ip109.120.176.4 | — | |
ip141.98.233.53 | — | |
ip145.223.68.34 | — | |
ip145.249.109.202 | — | |
ip147.45.124.28 | — | |
ip147.45.125.58 | — | |
ip147.45.60.149 | — | |
ip154.18.239.180 | — | |
ip156.227.6.32 | — | |
ip168.100.11.21 | — | |
ip176.98.40.6 | — | |
ip178.22.31.6 | — | |
ip178.248.75.62 | — | |
ip181.214.58.65 | — | |
ip181.214.58.92 | — | |
ip185.121.15.235 | — | |
ip185.143.238.166 | — | |
ip185.161.251.123 | — | |
ip185.178.231.30 | — | |
ip185.196.11.216 | — | |
ip185.196.8.140 | — | |
ip185.196.9.151 | — | |
ip185.208.158.23 | — | |
ip185.208.158.30 | — | |
ip185.212.47.40 | — | |
ip185.219.7.231 | — | |
ip185.219.7.53 | — | |
ip185.225.17.32 | — | |
ip185.232.205.16 | — | |
ip185.232.205.198 | — | |
ip185.232.205.52 | — | |
ip185.234.66.126 | — | |
ip185.234.66.239 | — | |
ip185.250.180.171 | — | |
ip185.39.204.86 | — | |
ip185.39.207.45 | — | |
ip188.116.20.254 | — | |
ip193.124.44.66 | — | |
ip193.149.189.208 | — | |
ip193.17.183.123 | — | |
ip193.17.183.18 | — | |
ip193.233.193.65 | — | |
ip193.233.193.90 | — | |
ip193.56.135.252 | — | |
ip193.56.135.81 | — | |
ip194.180.158.26 | — | |
ip194.180.158.48 | — | |
ip194.87.186.215 | — | |
ip194.87.79.223 | — | |
ip194.87.97.75 | — | |
ip195.133.88.10 | — | |
ip195.133.88.48 | — | |
ip195.133.88.59 | — | |
ip195.133.88.72 | — | |
ip195.133.88.73 | — | |
ip209.200.246.58 | — | |
ip213.165.63.179 | — | |
ip213.218.212.59 | — | |
ip216.185.57.42 | — | |
ip23.177.184.108 | — | |
ip23.177.185.118 | — | |
ip31.13.195.87 | — | |
ip31.15.16.216 | — | |
ip31.192.236.13 | — | |
ip31.56.117.251 | — | |
ip31.57.29.202 | — | |
ip38.180.116.107 | — | |
ip45.128.232.253 | — | |
ip45.143.200.29 | — | |
ip45.82.13.121 | — | |
ip45.84.0.235 | — | |
ip45.85.93.177 | — | |
ip45.85.93.246 | — | |
ip45.89.55.4 | — | |
ip46.29.238.184 | — | |
ip46.29.238.44 | — | |
ip46.8.228.233 | — | |
ip5.181.156.90 | — | |
ip5.182.86.132 | — | |
ip5.252.178.167 | — | |
ip5.252.178.168 | — | |
ip5.252.23.100 | — | |
ip5.44.42.29 | — | |
ip62.133.62.99 | — | |
ip62.60.159.248 | — | |
ip62.60.234.87 | — | |
ip64.190.113.62 | — | |
ip65.38.121.22 | — | |
ip77.239.101.153 | — | |
ip77.75.230.221 | — | |
ip77.91.74.55 | — | |
ip78.153.130.43 | — | |
ip79.132.135.171 | — | |
ip80.77.25.194 | — | |
ip80.85.241.183 | — | |
ip81.19.140.125 | — | |
ip81.19.141.191 | — | |
ip83.217.9.109 | — | |
ip83.217.9.48 | — | |
ip85.192.26.92 | — | |
ip85.192.27.166 | — | |
ip86.54.42.84 | — | |
ip87.121.52.9 | — | |
ip88.218.248.182 | — | |
ip89.185.84.159 | — | |
ip91.239.148.151 | — | |
ip91.239.148.54 | — | |
ip91.92.43.242 | — | |
ip94.131.96.82 | — | |
ip94.140.112.17 | — | |
ip94.140.114.239 | — | |
ip94.140.115.89 | — | |
ip94.183.187.222 | — | |
ip94.183.189.68 | — | |
ip94.232.249.17 | — | |
ip95.163.152.28 | — |
Threat ID: 694154d05e006677ae0dd866
Added to database: 12/16/2025, 12:47:12 PM
Last enriched: 12/16/2025, 12:55:42 PM
Last updated: 2/7/2026, 5:10:58 PM
Views: 538
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
MediumThreatFox IOCs for 2026-02-06
MediumThreatFox IOCs for 2026-02-05
MediumTechnical Analysis of Marco Stealer
MediumNew Clickfix variant 'CrashFix' deploying Python Remote Access Trojan
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.