NoName logo

Welcome to WithAName!

DDoSia C2 configuration tracker & threat intelligence feed

TLP:UNCLEARBrowse configurations · Search targets · C2 IPs (protected) · CSV export (protected)
Operation Eastwood

Operation "Eastwood" was conducted between 14-17 July 2025, coordinated by Europol and Eurojust, with support from law enforcement agencies across 12 European countries, the USA, and other international partners.

Authorities seized over 100 servers used by NoName057(16), effectively dismantling most of the group's attack infrastructure, including its central command servers.

Europol press release

On July 23rd 2025, they were back and bot started monitoring again.

What is DDoSia?

DDoSia is a specialized toolkit crafted by the hacker collective NoName057(16) explicitly for executing DDoS (Distributed Denial of Service) attacks, primarily targeting nations critical of the Russian invasion of Ukraine.

Initially coded in Python, DDoSia used CPU threads to launch a lot of network requests simultaneously. However, due to its inefficiency, the hackers transitioned to using Go. The updated Go versions function seamlessly across various platforms, with variants tailored for major operating systems such as Windows, macOS, Linux, and Android having been identified. The group remains actively engaged in refining the project.

The setup features dynamic configuration, hosted on a Command and Control (C2) server, with only the initial level publicly disclosed. Updates occur with varying frequency, but consistently at least once daily.

For more details: Malpedia

Why this website?

Because sharing is caring. This is free — when a new configuration is detected we add it in near real-time. The configuration is in JSON format; we also provide a CSV file with key elements.

We will not notify you, but feel free to monitor via the Atom feed or follow us on Mastodon.

Configuration structure

The configuration is split in two parts: targets and randoms.

targets contains all targets and the associated rules. The same domain/hostname can appear multiple times but with different attack rules.

{
  "target_id": "target id",
  "request_id": "request id",
  "host": "hostname to attack",
  "ip": "ip of the hostname",
  "type": "http|http2|http3|nginx_loris|tcp|udp",
  "method": "GET|POST|syn|ack|SYN|syn_ack|udp_flood|PING",
  "port": 443,
  "use_ssl": true,
  "path": "/url/to/attack",
  "body": { "type": "str", "value": "parameter" },
  "headers": null
}

randoms is a list of rules used to generate random strings in target rules. Each $_* in target rules is replaced by the output of the linked randoms field.

{
  "name": "rule name",
  "id": "rule id",
  "digit": true,
  "upper": false,
  "lower": true,
  "min": 5,
  "max": 12
}
User-Agents used by DDoSia
Latest version (15/01/2025)
  • AppleCoreMedia/1.0.0.23A344 (Macintosh; U; Intel Mac OS X 14_0; da_dk)
  • Dalvik/2.1.0 (Linux; U; Android 11; Tibuta_MasterPad-E100 Build/RP1A.201005.006)
  • Mozilla/5.0 (Linux; Android 11; SM-A115M Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/102.0.5005.125 Mobile Safari/537.36 Instagram 306.0.0.35.109 Android (30/11; 280dpi; 720x1411; samsung; SM-A115M; a11q; qcom; pt_BR; 530130405)
  • Mozilla/5.0 (Linux; Android 13; SAMSUNG SM-T220) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/23.0 Chrome/115.0.0.0 Mobile Safari/537.36
  • Mozilla/5.0 (Linux; Android 13; SM-F711U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Mobile Safari/537.36 EdgA/114.0.1823.43
  • Mozilla/5.0 (Linux; Android 6.0.1; SM-G532MT Build/MMB29T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/99.0.4844.88 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/436.0.0.35.101;]
  • Mozilla/5.0 (Linux; Android 9) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/119.0.6045.66 Mobile DuckDuckGo/1 Lilo/1.2.3 Safari/537.36
  • Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6) Gecko/20050319
  • Mozilla/5.0 (Macintosh; U; PPC; en-US; rv:0.9.3) Gecko/20010802
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Edg/118.0.2088.76 GLS/97.10.7399.100
  • Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/102.0.5143.178 Chrome/102.0.5143.178 Safari/537.36
  • Mozilla/5.0 (X11; Linux x86_64; SMARTEMB Build/3.12.9076) AppleWebKit/537.36 (KHTML, like Gecko) Chromium/103.0.5060.129 Chrome/103.0.5060.129 Safari/537.36
  • Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1
  • Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021208 Debian/1.2.1-2
  • Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/115.0.5738.217 Chrome/115.0.5738.217 Safari/537.36
  • Mozilla/5.0 (iPhone; CPU iPhone OS 15_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/19G82 Instagram 306.0.0.20.118 (iPhone12,1; iOS 15_6_1; en_GB; en; scale=2.00; 828x1792; 529083166) NW/3
  • Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [LinkedInApp]/9.28.7586
Clear Web · Dark Web
IP address data powered by ONYPHE