Project DDoSia

Video presentation

Project DDoSia is a bot software created by a pro-Russian group, NoName057(16). It is used to create voluntary botnets that are used for performing DDoS attacks. These attacks are targeted at European countries, predominantly Ukraine. In order to incentivize participation, the authors of the software give out rewards for the users who contribute the most to the attacks. This paper explores the timeline of Project DDoSia, from how it was created to its development and present state.

Keywords: DDoS, Cybersecurity, Bot, Botnet

One of the most powerful and impactful cyberattacks to date is distributed denial of service (DDoS) attacks. The reason for that is that there is no easy way to fend off these attacks, even less so if the victim is not financially capable enough to buy the hardware or services needed to filter the oncoming malicious traffic. These attacks are performed by flooding the victim with garbage traffic and therefore overloading the victim's devices. To generate the amount of traffic needed to trigger the traffic overload, attackers construct and use botnets. Botnets are a group of internet-connected computers that are controlled by a person or organization called the botmaster. The botmaster  specifies the victim to which malicious traffic should be sent. Botnets can span from a couple of devices to multiple hundreds of thousands of devices. In order to create such expansive botnets, botmasters infect vulnerable computers with the malware that allows them to give out commands to  the infected computers. This is a time-consuming process that need not result in success. In order to accelerate the process, botmasters can employ other  malicious actors to do this job instead, for a certain amount of money. Project DDoSia is a bot software that takes an interesting, different approach to expanding its botnet by making the joining to the botnet entirely voluntary.

Figure 1: Network structure of a botnet [6]

Project DDoSia has been “officially” announced by a pro-Russian group NoName057(16) on September 15, 2022. The initial idea was for it to be a new botnet alongside then larger “Bobik” botnet, which, in time, got taken down. The group enticed people to join the Project DDoSia botnet by offering rewards for ones who display the best performance. As of January 11, 2023, Project DDoSia had around a thousand bots in its botnet.[2]

Project DDoSia is distributed by the social media platform “Telegram”. Volunteers are invited to the group, where they register in an automated manner through a bot. If they are willing, volunteers can provide a crypto wallet during registration, allowing them to receive the rewards if they carry out enough attacks to be elligible for receiving a reward. After successful  registration, the bot gives the new member a DDosia.zip archive with the executable. There is a version for all major platforms, that being Linux, macOS and Windows.

Figure 2: Messages in the Project DDoSia Telegram channel regarding rewards [1]

The .zip archive contains a Python script, obfuscated in a rudimentary manner.

The .zip archive contains an executable file created from the Python script that is used for Linux and macOS. Other than that, the functionality of the client is the same.

When executed, the Python script starts the client which starts talking to the command and control server and identifies the user by sending the data stored in the client_id.txt file, which is also located in the .zip archive. This identification is used to identify users and measure how successful different users are at partaking in the attacks, therefore making them eligible for receiving a reward. In further communication, the C&C server sends a .json file which contains a list of targets that should be attacked by the client, and in what manner the traffic should be generated. Up to this point, the protocol used to send the generated traffic is HTTP. The interesting part is that all the communication with the C&C server is unencrypted and unauthenticated, meaning that any device can listen in on the communication, and any device can initiate communication with the C&C server, as long as they know its IP address.

The C&C server is a simple web server with two notable endpoints:
- hxxp://109.107.181[.]130:5001/client/get_targets
- hxxp://109.107.181[.]130:5001/set_attack_count 

These endpoints are used for sending the .json file that contains the attack victims to the bots and getting the performance of a particular bot, respectively.

It is estimated that the botnet could produce around 900,000 requests per minute, making its attacks a formidable event for small networks that are not prepared for such developments. The targets of the botnet are similar to those of the “Bobik” botnet, which was also used by the NoName057(16) group. A few of the targets can be seen in the table below.

Table 1: Some of the targets of the Project DDoSia botnet [1]

Although capable, Project DDoSia botnet did not acquire a pristine attack record. In fact, only around 13% of all the attacks were successful, meaning that the target ceased to provide its services.[1]

In late 2022 a new version of the bot software was detected, this time written in Go. The suspected reason for this change is the need for added performance in generating the malicious traffic. The cross-platform availability is still supported. 

Regarding the C&C server changes, in order to begin communication with the C&C server, authentication is required.

Figure 3: Communication flow between a bot and the C&C server [2]

Additionally, the .json file describing attack targets is now encrypted with a symmetric key. Regarding architectural changes, at this point the C&C server is located behind two proxy servers, in order to better protect it by keeping its IP address secret.

Figure 4: C&C server architecture of the newer version of Project DDoSia botnet [2]

In April 2023 the number of users in the Project DDoSia telegram group rose to 10,000 users. In March 2024, this number was approaching 20,000 users.[5] At the time of writing of this paper, this number can be expected to be over 20,000 users. [2]

With its growing capabilities and resources, the Project DDoSia botnet has expanded the list of targets, adding and heavily targeting Finland and Italy along Ukraine. The most prevalent targets are government organizations, followed by banking and transportation organizations.

Figure 5: A map of targeted countries by the Project DDoSia botnet in 2024 [5]

Project DDoSia is a new approach to creating malicious botnets. With the political turmoil that has started in Eastern Europe in the first half of 2022, different opinions and ideas started arising. Project DDoSia uses this tense political climate to recruit volunteers who join their devices to the botnet, providing additional resources to generate malicious traffic. Along the  political motivation which seems prevalent, there is also a financial motivation, since the users who provide the most value to the attacks are eligible for receiving a reward that could equal one to two average monthly salaries in the Russian Federation. Although this sum of money is not small, the payouts are irregular and provided to only a handful of participants, indicating that the primary motive would be political.

[1] Martin Chlumecký: "DDosia Project: Volunteers Carrying out NoName(057)16’s DirtyWork". Accessed: 17.1.2025.

[2] Martin Chlumecký: "DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks". Accessed: 17.1.2025.

[3] SOCRadar: "What is DDoSia Project?". Accessed: 17.1.2025.

[4] Amaury G., Charles M. and Sekoia TDR: "Following NoName057(16) DDoSia Project’s Targets". Accessed: 17.1.2025.

[5] Sekoia TDR, Amaury G. and Maxime A.: "NoName057(16)’s DDoSia project: 2024 updates and behavioural shifts". Accessed: 17.1.2025.

[6] Mahmoud, Muhammad, Manjinder Nir, and Ashraf Matrawy. “A survey on botnet architectures, detection and defences.” Int. J. Netw. Secur. 17.3 (2015): 264-281.