New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/27cdcf1412ea028f30e0d96565ca8959
Conversation
Notices
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 20-Feb-2024 21:27:08 JST 
Kevin Beaumont
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 15-Jan-2024 23:06:56 JST
Kevin Beaumont
Yesterday's #NoName targets - Ukraine and Lithuania
www.mtb.ua
accordbank.com.ua
www.adrem.lt
credit-agricole.ua
online.credit-agricole.ua
corpexpreprod.credit-agricole.ua
capluspro.credit-agricole.ua
premium.credit-agricole.ua
cabinet.credit-agricole.ua
www.pravex.com.ua
online.pravex.ua
www.lietuvoskeliai.lt
www.bite.lt
mano.bite.lt
www.cgates.lt
init.lt
www.balticum.lt
www.compensa.lt
www.if.lt
www.bta.ltBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_14_3pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 15-Jan-2024 23:07:47 JST
Kevin Beaumont
Today's #NoName targets - United Kingdom, Germany and France.
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_15_2pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 16-Jan-2024 00:14:27 JST
Kevin Beaumont
#NoName have added www.bundesfinanzministerium.de to their target list. It didn't take the site offline.
Config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_15_3pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 17-Jan-2024 05:18:26 JST
Kevin Beaumont
#NoName didn't like Germany today.
www.deutschebahn.com
deutschlandticket.de
www.nordwestbahn.de
www.bundeskanzler.de
www.bmz.de
www.bundesfinanzministerium.de
www.afs-bund.de
www.mvg.de
www.rmv.de
www.vgn.de
www.spd.de
abo.bahn.de
www.bvl.de
www.dslv.org
www.dachser.com
www.bafin.de
portal.mvp.bafin.de
www.dbschenker.com
www.hellmann.comBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_16_8pm.txt
-
Embed this notice
Max Resing (resingm@infosec.exchange)'s status on Wednesday, 17-Jan-2024 23:46:52 JST 
Max Resing
@GossiTheDog - Hope you don't mind me leveraging your excellent work in this threat to share some work of my coworkers.
My colleagues at #NETSCOUT had a blog post in the pipeline that was just published today on the modus operandi of #NoName057 and their #DDoS attack patterns.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 18-Jan-2024 03:12:29 JST
Kevin Beaumont
It's that time of the day.. time to find out what #NoName tried to do!
Today, with the protection of Latvia, they DDoS'd Czech, Sweden and Belgium.
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_17_6pm.txt
-
Embed this notice
Kapitän Clownfeuer (rasur@mastodon.social)'s status on Thursday, 18-Jan-2024 03:29:33 JST 
Kapitän Clownfeuer
@GossiTheDog hammering fereienshop.davos.ch.. yeah, that's really going to hurt the WEF :/
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 18-Jan-2024 20:14:31 JST
Kevin Beaumont
#NoName targets today - Estonia and Switzerland
myyk.inges.ee
marketplace.e-resident.gov.ee
epp.energia.ee
www.tallinn.ee
www.nordica.ee
www.sob.ch
www.post.ch
www.gva.ch
airport-grenchen.ch
www.bernairport.ch
engadin-airport.ch
peoples.ch
www.geneve.com
www.stadt-zuerich.ch
www.myswitzerland.com
www.postauto.ch
www.zvv.ch
www.mnt.ee
pilet.ee
lengmatta-davos.ch
alpenhof-davos.ch
www.davos-pischa.ch
europe-davos.ch
kajakallas.eeBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_18_11am.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jan-2024 00:10:56 JST
Kevin Beaumont
#NoName DDoS targets today, Ukraine and Switzerland
cvp.tax.gov.ua
kyiv.tax.gov.ua
tax.gov.ua
wvp.tax.gov.ua
www.vtg.admin.ch
www.swisshelicopter.ch
www.bs.ch
ekonto.egov.bs.ch
www.lausanne.ch
www.montreux.ch
www.stadt.sg.ch
www.bellinzona.ch
www.stadt-schaffhausen.ch
www.swissprivatebankers.com
www.juliusbaer.com
www.swissbanking.ch
www.geneve-finance.ch
www.nw.ch
www.stans.ch
www.buochs.ch
zir.tax.gov.ua
map.tax.gov.ua
ca.tax.gov.uaBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_19_3pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jan-2024 05:16:09 JST
Kevin Beaumont
Fs in the chat.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jan-2024 06:05:40 JST
Kevin Beaumont
#NoName's botnet is offline as their C2 server down.
They have published a new version of the client, and require all the users (about 10k) to redownload and reinstall - as such, their DDoS effectiveness will suck for a while.
New C2 server is 94.140.115.64 on port 80 - same ISP as before, Nano.lv in Latvia.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jan-2024 06:26:49 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2: https://pastebin.com/qeQCm74V
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_19_9pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jan-2024 17:23:20 JST
Kevin Beaumont
#NoName are offline again. #threatintel
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jan-2024 17:56:49 JST
Kevin Beaumont
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jan-2024 19:19:55 JST
Kevin Beaumont
#NoName have put out DDoS claims just now.. but you may notice the links are taken from 7am UTC, before their C2 server died.
No botnet config dump as it’s offline.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jan-2024 19:29:16 JST
Kevin Beaumont
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 21-Jan-2024 00:26:34 JST
Kevin Beaumont
New #NoName DDoS client details and C2 server: https://pastebin.com/psKHZzVs
IP is 94.131.97.202 and hardcoded into client again - ISP https://stark-industries.solutions/
They have only a fraction of hosts checking in so far, let's nuke from orbit. #threatintel
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 21-Jan-2024 00:33:33 JST
Kevin Beaumont
#NoName DDoS targets - France and Lithuania
www.adrem.lt
www.credit-agricole.com
eurolines.fr
www.star.fr
www.lignesdazur.com
www.lietuvoskeliai.lt
www.bite.lt
mano.bite.lt
www.cgates.lt
init.lt
www.balticum.lt
www.compensa.lt
www.if.lt
www.bta.lt
auth-aode.edf.fr
www.orano.group
www.enercoop.fr
mon-espace.enercoop.frC2 server: 94.131.97.202 (Czech)
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_20_3pm.txt
-
Embed this notice
Interpipes 💙 (interpipes@thx.gg)'s status on Sunday, 21-Jan-2024 01:42:51 JST 
Interpipes 💙
@GossiTheDog not a fan of 'stark industries' abuse reporting notice for their ASN.. "The contents of your abuse email will be forwarded directly on to our client for handling."
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 21-Jan-2024 19:57:45 JST
Kevin Beaumont
#NoName DDoS targets - UK and Netherlands
pa.eastcambs.gov.uk
politics.leics.gov.uk
www.liverpool.gov.uk
over.gvb.nl
www.cranbrooktowncouncil.gov.uk
www.ov-chipkaart.nl
login.ov-chipkaart.nl
www.bngbank.nl
services.belastingdienst.nl
my.swiftcard.org.uk
ukfinanceproducationb2c.b2clogin.com
www.moneyhelper.org.uk
9292.nl
a-bike.nl
www.justice.gov.uk
www.cbi.org.ukC2 server: 94.131.97.202 (UK front company, Czech location)
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_21_11am.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 21-Jan-2024 20:00:35 JST
Kevin Beaumont
Yes, #NoName can't even bring down Cranbook Town Council. One of the councillors replied to me on Mastodon just after Xmas and got their config DDoS proofed 🙌
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 21-Jan-2024 20:07:47 JST
Kevin Beaumont
In a sign that imposing cost on 'hacktivist' DDoS groups work - not a single one of the sites are offline.
-
Embed this notice
miunau (miunau@meow.social)'s status on Sunday, 21-Jan-2024 20:15:24 JST 
miunau
@GossiTheDog but who spelled it "producation"
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 21-Jan-2024 20:20:28 JST
Kevin Beaumont
How #NoName manipulate their audience (and probably bosses) - they post photoshopped screenshots of outages, and have links to check-host.net - which always show sites down.
E.g. I've attached the report for liverpool.gov.uk just now, which shows as down - but it's actually available.
The net effect is an audience of tens of thousands on Telegram cheering on nothing.
-
Embed this notice
V is for... (vmodifiedmind@know.me.uk)'s status on Sunday, 21-Jan-2024 20:20:47 JST 
V is for...
@GossiTheDog Well Cranbrook also moved the source site to a different server since the attack was the origin server so the initial effort (again nothing to do with me, not my responsibility) was to try and just shove CF in front. So I guess the where to attack is also static based on a DNS lookup done some time previous. Presumably they’re still trying to hit the original source IP (Zen)?
-
Embed this notice
V is for... (vmodifiedmind@know.me.uk)'s status on Sunday, 21-Jan-2024 20:22:02 JST
V is for...
@GossiTheDog bizarre. Wonder why they don’t even try and update and make any effort.
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 21-Jan-2024 22:07:43 JST 
Ryan Castellucci :nonbinary_flag:
@GossiTheDog is check-host.net designed to always show as down?
-
Embed this notice
ciaranb (ciaranb@infosec.exchange)'s status on Sunday, 21-Jan-2024 22:08:02 JST 
ciaranb
@GossiTheDog is this an old list? they seem to kicking the pa (assume idox) server in Cambridge a few times.
-
Embed this notice
VessOnSecurity (bontchev@infosec.exchange)'s status on Sunday, 21-Jan-2024 23:52:12 JST 
VessOnSecurity
@ryanc @GossiTheDog No, it works just fine.
I don't know why it shows "timed out" errors for them but they are definitely using it incorrectly, LOL.
They are using the "HTTP" button which, for an HTTPS site, will show "301 Moved Permanently" error (well, at least if the site is properly configured).
They should be using the "TCP Port" button which will try to access the site over port 443.
That said, I don't know why it times out on the e.g., Liverpool government site. I tested it on our Lab's site and it connected just fine.
-
Embed this notice
VessOnSecurity (bontchev@infosec.exchange)'s status on Monday, 22-Jan-2024 04:16:47 JST
VessOnSecurity
@GossiTheDog BTW, www.liverpool.gov.uk is definitely not reachable from here right now - neither via HTTP, nor via HTTPS.
Maybe they have started filtering foreign IPs?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 22-Jan-2024 17:37:59 JST
Kevin Beaumont
About that Romania attack #NoName #threatintel
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 22-Jan-2024 17:38:53 JST
Kevin Beaumont
(Cont) #NoName #threatintel
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 22-Jan-2024 19:26:02 JST
Kevin Beaumont
#NoName DDoS targets for today, Romania.
New client info: https://pastebin.com/6xHh4n8B
New C2: 193.233.193.240 (Huize Telecom in Hong Kong)
dnsc.ro
gov.ro
www.presidency.ro
www.mae.ro
www.mapn.ro
www.cdep.ro
sts.ro
www.senat.ro
www.mai.gov.ro
mmuncii.ro
www.olgutavasilescu.ro
www.baneasa-airport.ro
www.metrorex.ro
www.pmb.ro
www.mt.ro
www.mfinante.gov.ro
www.mdlpa.roBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_22_10am.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 23-Jan-2024 22:30:08 JST
Kevin Beaumont
#NoName DDoS targets for today, Romania again.
New client again, info: https://pastebin.com/Ukckmgf8
New C2: 89.105.201.91 (Novoserve)
gov.ro
www.presidency.ro
www.mae.ro
sts.ro
mmuncii.ro
www.bnro.ro
www.bvb.ro
www.scj.ro
www.ccr.ro
www.just.ro
mobile.telekom.ro
www.gts.ro
www.orange.ro
www.petrom.ro
www.omvpetrom.com
www.kmginternational.com
www.rompetrol.com
www.omv.ro
molromania.ro
www.roviniete.ro -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 23-Jan-2024 23:29:01 JST
Kevin Beaumont
#NoName 🤔
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 24-Jan-2024 02:58:07 JST
Kevin Beaumont
New #NoName client
First version crashed on start
New C2: 5.44.42.29 (GIR Network)
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 24-Jan-2024 19:09:41 JST
Kevin Beaumont
#NoName DDoS targets for today, Poland. Only one site is offline due to disrupted capability.
C2: 5.44.42.29 (GIR Network)
www.skm.pkp.pl
epuap.gov.pl
metro.waw.pl
www.sejm.gov.pl
www.prezydent.pl
www.sn.pl
www.senat.gov.pl
polskieradio24.pl
banie.pl
pyrzyce.um.gov.pl
www.mysliborz.pl
kozielice.pl
lipiany.pl
trzcinsko-zdroj.pl
przelewice.plBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_24_10am.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Jan-2024 03:02:11 JST
Kevin Beaumont
#NoName DDoS targets for today, France and Finland.
C2: 5.44.42.29 (GIR Network)
valtioneuvosto.fi
eureennormandie.fr
www.aude.fr
www.laregion.fr
www.bordeaux.fr
www.haute-saone.gouv.fr
www.poitiers.fr
www.vienne.gouv.fr
www.lehavre.fr
www.igares.com
www.gers.gouv.fr
vaalit.fi
www.finlex.fi
www.otakantaa.fi
www.aanestyspaikat.fi
www.pekkahaavisto.com
haavisto2024.fi
www.alexstubb.fi
ollirehn2024.fi
www.aaltola2024.fi
liandersson.fiBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_25_6pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Jan-2024 19:17:21 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2: https://pastebin.com/WJaM0xyE #threatintel
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Jan-2024 03:20:14 JST
Kevin Beaumont
#NoName DDoS targets for today, Finland.
C2: 195.35.19.138 (Hostinger)
supo.fi
www.eduskunta.fi
www.op.fi
www.suomenpankki.fi
www.tilastokeskus.fi
helsinki.chamber.fi
kauppakamari.fi
arbitration.fi
paaomasijoittajat.fi
www.finlex.fi
www.otakantaa.fi
www.nouvelle-aquitaine.fr
www.le64.fr
www.landes.fr
www.pau.fr
www.haute-garonne.fr
www.hautespyrenees.fr
metropole.toulouse.fr
www.tarbes.fr
www.tarn.gouv.fr
www.fine.fi
www.finanssiala.fiBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_26_6pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 28-Jan-2024 00:20:38 JST
Kevin Beaumont
#NoName DDoS targets for today, Germany.
C2: 195.35.19.138 (Hostinger, Brazil)
www.bzst.de
www.nordwestbahn.de
polizei.thueringen.de
www.polizei-nds.de
tca.holding.talanx.com
e-accounting.talanx.com
www.hamburger-feuerkasse.de
www.zoll.de
www.afs-bund.de
www.mvg.de
www.rmv.de
www.vgn.de
www.balm.bund.de
frankfurt.de
www.dortmund.de
www.bremen.de
www.darmstadt.de
www.rostock.de
www.bielefeld.deBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_27_3pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 28-Jan-2024 20:18:05 JST
Kevin Beaumont
#NoName DDoS targets for today, Ukraine and Finland.
C2: 195.35.19.138 (Hostinger, Brazil)
As part of "NATIONAL DEFENCE HACKATHON" alongside groups 22С, SKILLNET, CyberDragon, Federal Legion, People's Cyber Army, PHOENIX.
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_28_11am.txt
-
Embed this notice
Alec001 (alec001@infosec.exchange)'s status on Sunday, 28-Jan-2024 20:52:45 JST 
Alec001
@GossiTheDog Is this the same group that also goes by NoName057(16)
-
Embed this notice
Jason Reed (jrsofty@toot.community)'s status on Sunday, 28-Jan-2024 21:50:04 JST 
Jason Reed
@GossiTheDog how effective is this group? Last time they targeted www.mvg.de I asked my kid who lives in Munich to see if the website was down and the answer was no.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 29-Jan-2024 21:29:52 JST
Kevin Beaumont
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 29-Jan-2024 21:36:56 JST
Kevin Beaumont
#NoName DDoS targets for today, Ukraine.
New C2: 185.255.123.84 (tinhat.se, physically in Nigeria)
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_29_1pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 31-Jan-2024 06:07:25 JST
Kevin Beaumont
#NoName DDoS targets for today, Netherlands and Greece.
New C2: 185.255.123.84 (tinhat.se, physically in Nigeria)
www.gvb.nl
www.government.nl
www.rijksoverheid.nl
www.houseofrepresentatives.nl
www.portofamsterdam.com
www.groningen-seaports.com
www.thpa.gr
www.ov-chipkaart.nl
login.ov-chipkaart.nl
www.maa.nl
www.lelystadairport.nl
www.rijkswaterstaat.nl
www.vlaardingen.nl
www.yme.gr
ministryofjustice.gr
www.cecl.gr
www.aia.gr
www.minoan.grBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_30_9pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 01-Feb-2024 02:14:48 JST
Kevin Beaumont
#NoName DDoS targets for today, Finland (they're DDoS'ing Tietoevry, who are currently dealing with a ransomware incident), Lithuania and Germany
C2: 185.255.123.84 (tinhat.se, physically in Nigeria)
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_31_5pm.txt
-
Embed this notice
saloravantes (saloravantes@cyberplace.social)'s status on Thursday, 01-Feb-2024 04:05:25 JST 
saloravantes
@GossiTheDog Hi. Is there a way to automate the extraction of the config for ddosia project ? And also, is there a telegram group from which i can the latest version of their software ?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 01-Feb-2024 07:28:28 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/dedcb8c68218782a735394f366d58658
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 02-Feb-2024 03:06:57 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2: https://gist.github.com/GossiTheDog/9905962545501d00cd313ff91ea8d5a3
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 02-Feb-2024 03:16:13 JST
Kevin Beaumont
#NoName DDoS targets for today, Finland.
New C2: 188.116.20.254 - ROKO Networks Ltd - abuse@iroko.net
www.kyberturvallisuuskeskus.fi
www.op.fi
www.suomenpankki.fi
kauppakamari.fi
www.hel.fi
oikeus.fi
www.kuntaliitto.fi
www.kuluttajariita.fi
www.patriagroup.com
www.insta.fi
millog.fi
securemail.millog.fi
akerarctic.fi
www.unikie.com
odoo15.unikie.com
people.unikie.com
support.unikie.com
www.espoo.fi
www.vantaa.fi
www.turku.fi
www.tampere.fi -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-Feb-2024 00:30:18 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2: https://gist.github.com/GossiTheDog/9137ecd51ad3b26f4a37dc7c80848bbc
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-Feb-2024 00:59:37 JST
Kevin Beaumont
#NoName DDoS targets for today, Finland again
New C2: 45.89.55.4 - Stark Industries Solutions
www.traficom.fi
extidpevaluointi.traficom.fi
arbitration.fi
energia.fi
www.tek.fi
www.businessfinland.fi
www.fine.fi
www.finanssiala.fi
www.jyvaskyla.fi
www.kuopio.fi
www.pori.fi
www.lappeenranta.fi
www.vaasa.fi
www.kotka.fi
www.porvoo.fi
www.lahti.fi
www.danskebank.fi
www.handelsbanken.fi
www.saastopankki.fi
www.ombudsman.fi
www.forex.fi
ek.fiBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_02_4pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 05-Feb-2024 07:45:58 JST
Kevin Beaumont
Sunday overtime at NoName due to disruption.
New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/e3360ed34b57d377b40dc2fba7f689a5
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 05-Feb-2024 07:52:23 JST
Kevin Beaumont
#NoName DDoS targets for today, France.
New C2: 193.233.193.90 -huize.asia, Hong Kong
www.bourgognefranchecomte.fr
www.normandie.fr
www.grandest.fr
www.insee.fr
www.iledefrance.fr
www.paysdelaloire.fr
www.isula.corsica
www.auvergnerhonealpes.fr
www.bretagne.bzh
www.regionguadeloupe.fr
www.hautsdefrance.fr
regionreunion.com
www.maregionsud.fr
www.ctguyane.frBotnet config:
https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_04_11pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 06-Feb-2024 02:33:39 JST
Kevin Beaumont
#NoName DDoS targets, Spain
C2: 193.233.193.90 -huize.asia, Hong Kong
sede.agenciatributaria.gob.es
www.lamoncloa.gob.es
www.cert.fnmt.es
www.tribunalconstitucional.es
www.bde.es
www.metrovalencia.es
www.policia.es
www.interior.gob.es
www.granada.org
metropolitanogranada.es
administracion.gob.es
www.incibe.es
www.ccn.cni.es
www.transportepublico.es
www.balearia.com
grupooesia.com
www.babelgroup.com
www.oneseq.es
s2grupo.es
unitel-tc.comBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_05.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 06-Feb-2024 17:13:36 JST
Kevin Beaumont
#NoName claim to have taken down the Spanish navy and airforce (lol) and their proof is check-host links to a ping request (lol). Both sites are online. Ddosia is not.
This is part of a common theme where they try to use the ping and traceroute option to try to prove a site is offline, to mislead people.
#threatintel -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 06-Feb-2024 21:48:48 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/e56ffe64b9ecdbbc51d33d9e4bf67869
Russian branded version has been mothballed.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 06-Feb-2024 21:59:27 JST
Kevin Beaumont
#NoName DDoS targets, Spain
New C2 185.234.66.126 - pq.hosting, Netherlands
www.mapa.gob.es
amaco.es
armada.defensa.gob.es
ejercitodelaire.defensa.gob.es
www.asambleamurcia.es
www.oepm.es
parlamentodenavarra.es
www.jgpa.es
www.euskadi.eus
www.legebiltzarra.eus
www.gobiernodecanarias.org
www.parcan.es
www.carm.es
scpc.gov.uaBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_06_1pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 08-Feb-2024 00:43:20 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/6988b27da07e9d8ec1ca6bec5d06033a
Russian branded version is back.
No, this isn't nor was it ever running on toothbrushes.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 08-Feb-2024 00:49:55 JST
Kevin Beaumont
#NoName DDoS targets, Spain
New C2 45.136.199.235 - IROKO Networks, Romania
www.cimsa.com
www.jomipsa.com
www.fecsa.net
www.aecid.es
www.amec.es
www.alimentacion.es
www.tussam.es
www.metro-sevilla.es
www.emtmalaga.es
www.vitrasa.es
alicante.vectalia.es
www.tgcomes.es
titsa.com
www.bilbao.eus
www.metrobilbao.eus
www.emtpalma.catBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_07_4pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 08-Feb-2024 18:50:17 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/27e65024c71a94f1a06913b8fe74c9fd
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 08-Feb-2024 18:57:53 JST
Kevin Beaumont
#NoName DDoS targets, Spain again
New C2 83.217.9.33 - iptk.ru, Turkey
www.sedigas.es
www.camaramadrid.es
tab.es
www.cofides.es
www.aecarretera.com
www.tranviasdezaragoza.es
www.vitoria-gasteiz.org
metrotenerife.com
www.valenciaport.com
www.portdebarcelona.cat
www.bilbaoport.eus
www.apba.esBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_08_10am.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 08-Feb-2024 23:31:56 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/9243528c7055b4b2d05e5daa9d03a83c
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 09-Feb-2024 02:47:54 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/56673d225f9d91f68cf68666084e3c2f
(Yes, they're on their 3rd new client today alone)
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 09-Feb-2024 08:38:12 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/f8cbf0039b5463851f61009cea377f20
Yes, they're on their fourth client update today as all their nodes keep getting lost :(
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 09-Feb-2024 19:50:11 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/f1079fe5486b2e7ac61d2e069caa67d4
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 09-Feb-2024 22:50:13 JST
Kevin Beaumont
#NoName DDoS targets, Spain again
New C2 185.234.66.239 - pq.hosting
www.ineco.com
cornelia.apc.es
www.parlament.cat
www.apvigo.es
www.asambleamadrid.es
www.juntadeandalucia.es
www.puertomalaga.com
www.portsdebalears.com
www.apcoruna.com
www.portcastello.com
www.huelvaport.com
www.mapfre.es
www.occident.com
www.reale.es
www.axa.esBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_09_2pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 10-Feb-2024 22:52:58 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/25a3ad28b6dcd9849619487c718242a0
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 10-Feb-2024 22:56:36 JST
Kevin Beaumont
#NoName DDoS targets, Spain again
New C2 77.75.230.221 - Stark Industries Solutions (PQ Hosting using a shit shell company in London)
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_10_2pm.txt
-
Embed this notice
dercraig (dercraig@infosec.exchange)'s status on Saturday, 10-Feb-2024 23:06:21 JST 
dercraig
@GossiTheDog how do you know it's a shell company for PQ?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 12-Feb-2024 02:55:46 JST
Kevin Beaumont
#NoName DDoS targets, Spain again
C2 77.75.230.221 - Stark Industries Solutions (PQ Hosting)
www.cimsa.com
www.fecsa.net
www.aecid.es
www.tussam.es
www.emtmalaga.es
www.vitrasa.es
alicante.vectalia.es
www.tgcomes.es
www.camaramadrid.es
titsa.com
www.aecarretera.com
www.bilbao.eus
www.emtpalma.cat
www.tranviasdezaragoza.es
www.vitoria-gasteiz.org
metrotenerife.comBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_11_6pm.txt
-
Embed this notice
jo3rg (jo3rg@infosec.exchange)'s status on Monday, 12-Feb-2024 04:02:08 JST 
jo3rg
@GossiTheDog Quick newb question - how do you get those configs? Do you provide a honeypot which is part of the network?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 12-Feb-2024 04:05:37 JST
Kevin Beaumont
I don't know why #NoName have done a week of attacks on Spain, normally they swap countries each day. They claim on Telegram it's in support of Spanish farmers, but.. uh.. I dunno how that benefits their stated goal of supporting Russia. Also they claimed people were running their DDoS from toothbrushes this week, soooo.
It probably doesn't help that many of the targets after 5th February appear to have no cloud WAF, so fall to DDoS really easily.
-
Embed this notice
jo3rg (jo3rg@infosec.exchange)'s status on Monday, 12-Feb-2024 05:11:38 JST
jo3rg
@GossiTheDog So you've extracted the config URL from the actual binaries? Out of curiosity, do they expect any special HTTP headers?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 12-Feb-2024 17:08:13 JST
Kevin Beaumont
It’s likely Italy - they started DDoSing targets there last night. #NoName
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 12-Feb-2024 19:59:33 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/830760f71dd3f2d410f07662d2c4be8f
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 12-Feb-2024 20:04:21 JST
Kevin Beaumont
#NoName DDoS targets, Italy
C2 193.233.193.65 - Lethost in Austria
www.bper.it
www.bologna-airport.it
www.camera.it
www.atm.it
accesso-privati.credem.it
www.borsaitaliana.it
www.bccroma.it
www.bicipa.it
www.anm.it
alfabeto.fideuram.it
www.ansa.it
www.camera-arbitrale.it
richiestamodifiche.adm.gov.it
iampe.adm.gov.it
telematico.adm.gov.it
stdru.adm.gov.it
concorsi.gdf.gov.it
www.gdf.gov.it
www.consob.it
www.aiaf.it
www.assosim.it
www.agcm.it
anasf.itBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_12_11am.txt
-
Embed this notice
joystickjournal (joystickjournal@mastodon.social)'s status on Monday, 12-Feb-2024 21:10:19 JST
joystickjournal
@GossiTheDog Thank you for all the updates. Can anyone explain me why they are struggeling that much? I missed a few weeks of infosec.
-
Embed this notice
Otmar Lendl (otmar@infosec.exchange)'s status on Monday, 12-Feb-2024 21:17:41 JST 
Otmar Lendl
@GossiTheDog A C2 in Austria would certainly get my attention, but I can't link 193.233.193.65 to our country.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 13-Feb-2024 19:19:06 JST
Kevin Beaumont
#NoName DDoS targets, Italy again.
They're having an Italy week, using the farmers to piggy back on again.
C2 193.233.193.65 - HUIZE TELECOM
www.giorgiameloni.it
www.sinfomar.it
www.amat.pa.it
amat.cloud.eleagol.it
www.amt.genova.it
www.sienamobilita.it
www.gtt.to.it
www.ctmcagliari.it
www.anm.it
intra.anm.it
www.trentinotrasporti.it
www.atb.bergamo.it
group.intesasanpaolo.comBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_13_10am.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 14-Feb-2024 20:42:05 JST
Kevin Beaumont
#NoName DDoS targets, Italy again.
C2 193.233.193.65 - HUIZE TELECOM
iampe.agenziaentrate.gov.it
www.poste.it
www.mediobanca.com
www.popso.it
www.port.venice.it
www.agenziaentrate.gov.it
www.spid.gov.it
www.gruppomps.itBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_14_11am.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 14-Feb-2024 20:48:49 JST
Kevin Beaumont
Reality vs Fantasy
Again abusing being unable to ping a target as proof a website is down. Most orgs block ping, they will know this.
-
Embed this notice
Bradley Frank (bradfrank@cyberplace.social)'s status on Wednesday, 14-Feb-2024 21:09:28 JST 
Bradley Frank
@GossiTheDog I’ve seen you reporting on NoName for what seems like weeks now, if these chucklefucks are as inept as they seem, are they disruptive enough to follow so closely? (To be clear this isn’t meant as sarcasm or judgement I’m legit curious.)
-
Embed this notice
Bradley Frank (bradfrank@cyberplace.social)'s status on Wednesday, 14-Feb-2024 21:42:00 JST
Bradley Frank
@GossiTheDog That makes a lot more sense. Unfortunate that it gets reported like that, the group must love all the (undeserved) attention.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 19-Feb-2024 20:13:31 JST
Kevin Beaumont
#NoName DDoS targets, Japan
New C2 193.17.183.18
www.panasonic.com
www.hkd.meti.go.jp
essales.tw.panasonic.com
www.enecho.meti.go.jp
www.chusho.meti.go.jp
holdings.panasonic
globalresearch.mizuho-sc.com
www.mod.go.jp
www.meti.go.jp
www.cao.go.jp
www.esri.cao.go.jp
www.shugiin.go.jpBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_19_11am.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 19-Feb-2024 20:13:32 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/8a25337bd994ded7096445c57efdd868
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 20-Feb-2024 21:33:52 JST
Kevin Beaumont
#NoName DDoS targets - why not have 5 countries.
New C2 5.252.23.100 - fake London VPS company again
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_20_12pm.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 22-Feb-2024 06:24:15 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/dd1cd434b55f0a7d974aad3bd73a564a
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 22-Feb-2024 20:27:38 JST
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/82319e4ee354c4376c092798e7b8e94c
GreenSkyOverMe (Monika) repeated this. -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 22-Feb-2024 20:31:59 JST
Kevin Beaumont
#NoName DDoS targets, Ukraine and Japan. 2 year war anniversary.
New C2 38.180.101.98
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_22_11am.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 29-Feb-2024 08:40:11 JST
Kevin Beaumont
I stopped #NoName monitoring and disruption over a week ago as I’ve been too busy.
I’ve just noticed from telegram they don’t appear to have had a public client since Friday, apparently somebody else has been taking down their C2 servers. Good.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 02-Mar-2024 00:13:19 JST
Kevin Beaumont
#NoName DDoS targets, Demark
www.moviatrafik.dk
dinoffentligetransport.dk
www.cph.dk
www.kk.dk
aarhus.dk
www.billund.dk
www.aalborg.dk
www.odense.dk
www.randers.dk
www.vejle.dk
www.roskilde.dk
www.helsingor.dk
horsens.dk
api.cph.dk
www.mitid.dk
netbutik.postnord.dk
logistics.postnord.dk
www.vadehavskysten.dkBotnet config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 02-Mar-2024 20:48:32 JST
Kevin Beaumont
#NoName DDoS targets, Denmark again.
www.toldst.dk
www.moviatrafik.dk
dinoffentligetransport.dk
ufst.dk
www.bornholms-lufthavn.dk
www.trm.dk
www.cph.dk
www.bane.dk
motorst.dk
gaeldst.dk
vurdst.dk
api.cph.dk
www.mitid.dk
danishshipping.dk
netbutik.postnord.dk
logistics.postnord.dk
www.kolding.dkBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_03_02_11am.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 03-Mar-2024 20:22:26 JST
Kevin Beaumont
#NoName DDoS targets, Denmark again. Essentially same targets but they've refined the DDoS config.
C2 193.17.183.123
www.toldst.dk
www.moviatrafik.dk
dinoffentligetransport.dk
ufst.dk
www.bornholms-lufthavn.dk
www.trm.dk
www.cph.dk
motorst.dk
gaeldst.dk
vurdst.dk
api.cph.dk
danishshipping.dk
netbutik.postnord.dk
logistics.postnord.dkBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_03_03_11am.txt
-
Embed this notice
Catalin Cimpanu (campuscodi@mastodon.social)'s status on Sunday, 03-Mar-2024 22:36:47 JST 
Catalin Cimpanu
@GossiTheDog s***... gonna tell my Danish friends that websites they never access are gonna be down
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 04-Mar-2024 19:33:13 JST
Kevin Beaumont
#NoName DDoS targets, this week they are "supporting the farmers" (lol) in Poland.
C2 193.17.183.123
pz.gov.pl
etoll.gov.pl
drogi.gddkia.gov.pl
kpd.gddkia.gov.pl
www.autostrada-a2.pl
flotis.pl
www.autostrada-a4.com.pl
enota.viatoll.pl
conadrogach.pl
a1.com.plBotnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_03_04_10am.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 05-Mar-2024 02:30:14 JST
Kevin Beaumont
You can follow @NoName57Bot for real time #NoName updates if you don’t want to wait for me. #threatintel
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 07-Mar-2024 08:41:04 JST
Kevin Beaumont
NoName's DDoSia platform has been deleted from Telegram. The chat channels, support channels, client downloads, documentation and tasking bot have all been shut down.
The last public version of the Ddosia client is also disconnected from users.
The non-public C2, 193.17.183.123, is still online at present.
#threatintel -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 12-Mar-2024 08:53:11 JST
Kevin Beaumont
#NoName have moved Ddosia to a new Telegram group with a new bot.
Today they’re mostly attacking France. Botnet config: https://witha.name/data/2024-03-11_13-45-06_DDoSia-target-list-full.json
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 14-Mar-2024 16:55:19 JST
Kevin Beaumont
#NoName currently trying to DDoS http://landopensystems.mod.gov.uk/
Unsuccessfully I might add.
-
Embed this notice
Tim K (cybervulcanx@mastodon.social)'s status on Sunday, 09-Jun-2024 20:41:18 JST
Tim K
@GossiTheDog Is it possible to get an updated list for the current #NoName targets please?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 04-Jul-2024 19:46:46 JST
Kevin Beaumont
Noname are trying to target the UK right now. Unsuccessfully I might add. Current targets include Electoral Commission #NoName #threatintel
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 04-Jul-2024 19:49:36 JST
Kevin Beaumont
And there’s the poor translated announcement out. #NoName #threatintel
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 22-Jul-2024 20:23:18 JST
Kevin Beaumont
Police have arrested two people in Spain over allegedly being part of NoName.
Details are unclear - I guess it might have been people running the NoName Ddosia client in their home PCs.
https://www.reuters.com/technology/cybersecurity/three-pro-russian-hackers-arrested-spain-over-cyberattacks-2024-07-20/
#NoName #threatintel
-
Embed this notice
All GNU social JP content and data are available under the