Back to Intelligence

Defending Against Pro-Russian Hacktivism: Countering CARR and NoName057(16) DDoS Operations

SA
Security Arsenal Team
July 8, 2026
6 min read

Introduction

In a significant development highlighting the evolving threat of politically motivated cyber operations, Spanish National Police, in coordination with the FBI, arrested a man in Palencia this March for his alleged role in supporting pro-Russian hacktivist groups. The suspect is charged with membership in a terrorist organization, glorifying terrorism, and causing computer damage linked to the Cyber Army of Russia Reborn (CARR) and NoName057(16).

For security practitioners, this arrest is a stark reminder that "hacktivism" is no longer the domain of isolated actors. These groups operate with structured logistics, leveraging cryptocurrency for funding and encrypted platforms like Telegram for command and control (C2). While often dismissed as mere nuisance actors, groups like NoName057(16) utilize sophisticated Layer 7 DDoS tools and botnets that can disrupt critical infrastructure and commercial availability. Defenders must treat these operations with the same rigor as state-sponsored espionage, focusing on disrupting the attack chain and identifying compromised internal assets participating in these campaigns.

Technical Analysis

Threat Actor Profile

  • Groups Involved: NoName057(16), CARR (Cyber Army of Russia Reborn).
  • Tactics, Techniques, and Procedures (TTPs): These actors primarily rely on distributed denial-of-service (DDoS) attacks targeting web servers and APIs. Their operations often utilize custom toolkits (such as the "DDoSia" tool associated with NoName) which recruits volunteers to install software that turns their machines into attack nodes.
  • Attack Vector: The attack chain typically begins with recruitment via Telegram channels, where supporters download Python-based scripts or executables. These tools then coordinate HTTP/S floods to overwhelm target infrastructure.
  • Infrastructure: The recent arrest highlights the use of cryptocurrency for operational funding and Telegram for operational security and coordination. The attack traffic originates from a distributed network of compromised residential and business IPs, making simple IP blocking ineffective.

Exploitation Status

  • Active Exploitation: Yes. NoName057(16) and affiliated groups maintain a high tempo of operations, regularly posting "target lists" of government and private sector entities.
  • Tools: HTTP flood tools,_slowloris variants, and VPN-based bypass techniques to evade geo-blocking.

Detection & Response

Sigma Rules

The following Sigma rules aim to detect the presence of common DDoS tooling often distributed by these groups and the network behavior indicative of a compromised host participating in a flood.

YAML
---
title: Potential NoName057(16) DDoS Tool Execution
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects execution of common Python-based DDoS scripts often distributed via Telegram channels by hacktivist groups like NoName057(16).
references:
  - https://securityaffairs.com/194894/hacktivism/spanish-police-arrest-man-linked-to-carr-z-pentest-and-noname05716.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.006
logsource:
  category: process_creation
  product: windows
detection:
  selection_python:
    Image|endswith:
      - '\python.exe'
      - '\python3.exe'
    CommandLine|contains:
      - 'requests.get'
      - 'urllib.request'
      - 'socket.connect'
  selection_suspicious_args:
    CommandLine|contains:
      - 'threading'
      - 'flood'
      - 'attack'
      - 'target'
  condition: all of selection_*
falsepositives:
  - Legitimate Python development or scripting (rare with specific threading/flood keywords)
level: high
---
title: High Volume Outbound HTTP Connections (Potential Bot)
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects endpoints initiating a high volume of outbound HTTP/HTTPS connections to distinct external destinations, indicative of DDoS participation.
references:
  - https://securityaffairs.com/194894/hacktivism/spanish-police-arrest-man-linked-to-carr-z-pentest-and-noname05716.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.impact
  - attack.t1498
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort:
      - 80
      - 443
      - 8080
  filter:
    Initiated: true
  condition: selection | count(DestinationIp) > 50 by SrcIp within 1m
falsepositives:
  - Web servers, update servers, or heavy client browsing usage
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for internal endpoints exhibiting high-frequency network connections, a hallmark of systems compromised to participate in DDoS botnets.

KQL — Microsoft Sentinel / Defender
// Hunt for endpoints acting as DDoS bots (High connection frequency)
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionAccepted" or ActionType == "ConnectionInitiated"
| where RemotePort in (80, 443, 8080)
| summarize ConnectionCount = dcount(RemoteIP), DistinctIPs = make_set(RemoteIP, 100) by DeviceName, bin(Timestamp, 5m)
| where ConnectionCount > 100 // Threshold tuning required based on baseline
| sort by ConnectionCount desc
| extend AlertInfo = "Device initiating high volume of outbound connections to distinct IPs, possible DDoS participation."

Velociraptor VQL

This VQL artifact hunts for the presence of known DDoS tool filenames often associated with hacktivist packages running on Linux or Windows endpoints.

VQL — Velociraptor
-- Hunt for common hacktivist DDoS tool artifacts
SELECT 
  FullPath,
  Size,
  ModTime,
  Mode
FROM glob(globs="/tmp/**/*", root="/")
WHERE 
  FullPath =~ "ddos" OR 
  FullPath =~ "flood" OR 
  FullPath =~ "stress" OR
  FullPath =~ "ddosia"

-- Supplemental: Check for suspicious high-connect processes
SELECT Pid, Name, Exe, Cmdline
FROM pslist()
WHERE Cmdline =~ "threading" AND (Cmdline =~ "http" OR Cmdline =~ "socket")

Remediation Script (Bash)

For Linux servers often targeted or co-opted into these botnets, this script applies kernel parameter hardening to mitigate the impact of SYN floods and reduces the effectiveness of volumetric attacks.

Bash / Shell
#!/bin/bash
# Hardening script to mitigate DDoS impact on Linux endpoints
# Must be run as root

echo "[*] Applying kernel parameters for DDoS mitigation..."

# Enable SYN cookies protection
sysctl -w net.ipv4.tcp_syncookies=1

# Reduce SYN retries and backlog to drop SYN floods faster
sysctl -w net.ipv4.tcp_syn_retries=2
sysctl -w net.ipv4.tcp_synack_retries=2
sysctl -w net.ipv4.tcp_max_syn_backlog=2048

# Decrease time wait values to release resources faster
sysctl -w net.ipv4.tcp_fin_timeout=15
sysctl -w net.ipv4.tcp_tw_reuse=1

# Rate limiting ICMP (prevent ping flood participation)
sysctl -w net.ipv4.icmp_echo_ignore_all=1
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

echo "[*] Verifying IPTables rules to block common attack vectors..."

# Block invalid packets (common in spoofed DDoS attacks)
iptables -A INPUT -m state --state INVALID -j DROP

# Limit new connections per second per source IP (SYN flood protection)
iptables -A INPUT -p tcp --syn -m limit --limit 5/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

echo "[+] Hardening applied. Ensure these rules are persisted in /etc/sysctl.conf and iptables-save."

Remediation

To effectively defend against the campaigns orchestrated by groups like CARR and NoName057(16), security teams should implement the following measures immediately:

  1. Network Traffic Analysis: Deploy deep packet inspection (DPI) at the perimeter to identify HTTP floods targeting specific URI patterns or User-Agents commonly used by DDoSia tooling.
  2. Rate Limiting and WAF Configuration: Configure Web Application Firewalls (WAFs) to enforce aggressive rate limiting on login pages and API endpoints. Implement challenges (JavaScript or CAPTCHA) for suspicious traffic originating from residential IPs.
  3. Endpoint Hygiene: Scan internal networks for unauthorized Python scripts or executables often dropped in C:\Temp or /tmp. The recruitment phase relies on users installing these tools; detection of the installation is critical.
  4. Block Communications: Where policy permits, restrict access to Telegram domains on corporate networks to disrupt the C2 and recruitment channels used by these actors.
  5. Threat Intel Feeds: Subscribe to threat intelligence feeds that track NoName057(16) target lists and known botnet IP ranges to pre-emptively block sources.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchddosnoname05716hacktivismthreat-huntingbotnets

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.