SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dosia (Back to overview)

Dosia

aka: DDOSIA

Actor(s): NoName057(16)

Infrastructure and programs used for, as its name suggests, DDoSing.
It used to be written in Python, nowadays it's written in Go. Clients:

- Are written in Go. (Used to be written in Python.)
- Do not seem to differ significantly across OS deployments. (Confirmed on Windows, MacOS, Linux, Android)
- Seem to be partly run by NoName themselves.
- Partly also run voluntarily, recruited via dedicated Telegram channels. Participants are rewarded with cryptocurrency. Prints a suggestion to use a VPN for Russia-based launches. (This yields IP-based blocking as rather ineffective, consider behavioral analysis instead.)

Configuration:

- Rotates near-daily. Can be browsed on https://witha.name/ (also reachable via http://withanamemwesdvodfhthjq25a5a3uas24cpgoa7qm6gchcerzpis6qd.onion/).
- Is sent encrypted between C2 and Client.
- Specifies target hostname, subpath, vector protocols, methods, ports, whether SSL is used, headers for HTTP, request bodies.
- Any given config property can be randomly generated with per-use constraints.
- Is provided by a multi-level hierarchy of C2 servers.

References
2025-07-22Recorded FutureInsikt Group®
Anatomy of DDoSia: NoName057(16)'s DDoS Infrastructure and Targeting
Dosia
2024-03-01SekoiaSekoia TDR
NoName057(16)’s DDoSia project: 2024 updates and behavioural shifts
Dosia
2023-06-29Sekoiasekoia
Following NoName057(16) DDoSia Project’s Targets
Dosia
2023-05-08ViuleeenzAlessandro Strino
Extracting DDosia targets from process memory
Dosia
2023-04-18Avast DecodedMartin Chlumecký
DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks
Dosia
2023-04-17BE42LATEB42 Labs
Noname057(16) Attack Tracker
Dosia
2023-04-17Medium (@lcam)Luca Mella
Data Insights from Russian Cyber Militants: NoName05716
Dosia
2023-04-04Team CymruS2 Research Team, Team Cymru
A Blog with NoName
Dosia
2023-01-12Sentinel LABSAleksandar Milenkoski, Tom Hegel
NoName057(16) – The Pro-Russian Hacktivist Group Targeting NATO
Bobik Dosia NoName057(16)
Yara Rules
[TLP:WHITE] win_dosia_w0 (20230615 | No description)
rule win_dosia_w0 {
    meta:
        author = "B42 Labs"
        date = "2023-04-13"
        hash_md5 = "ac0d5e1ec2664ad36db8877078bcf6c3"
        tlp = "CLEAR"
        yarahub_license = "CC0 1.0"
        yarahub_reference_md5 = "ac0d5e1ec2664ad36db8877078bcf6c3"
        yarahub_rule_matching_tlp = "CLEAR"
        yarahub_rule_sharing_tlp = "CLEAR"
        yarahub_uuid = "873ebbf5-9f83-4cf5-9670-b159211dd3c2"
        
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dosia"
        malpedia_version = "20230615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings:
         $s_0 = "HttpJob" wide ascii
         $s_1 = "SayHallo" wide ascii
         $s_2 = "StartJob" wide ascii
         $s_3 = "FastRequest" wide ascii
         $s_4 = "SetStatToBot" wide ascii
         $s_5 = "GetTargets" wide ascii

    condition:
        filesize < 10MB  and (5 of ($s_*))
}
Download all Yara Rules