BETWEEN 2 and 8 February 2026, SOCRadar identified a coordinated DDoS campaign led by the pro-Russian threat actor NoName057(16) using the DDoSia tool, with 8,101 recorded attack entries across 160 unique domains and 186 unique IP addresses, concentrated on Italy and Germany. Italy accounted for 42.9% of attacks (3,475 targets) and Germany for 29.5% (2,391 attacks), with Austria and Finland also impacted and a broader spread across commercial and international domains.
The campaign targeted government infrastructure (38%), sports and Olympic organisations (24%), and critical infrastructure such as transportation and water systems, with the majority of traffic directed at port 443 (HTTPS)—69.1% of attacks—and 80 port-based activity in HTTP fashions across port 80.
NoName057(16) operates via Telegram channels to update target lists multiple times daily, employing multi-vector techniques that combine TCP floods, HTTP floods, and application-layer attacks, including nginx_loris, HTTP/2, and HTTP/3. The analysis highlights extensive geographic breadth, multi-sector targeting, and sustained, high-volume operations designed to strain defence resources across NATO member states.
According to SOCRadar, mitigation should emphasise cloud-based DDoS protection, WAF tuning, rate limiting, and coordinated incident response across national CERTs.