BETWEEN March 17 and 23, 2026, NoName057(16) conducted its most intensive weekly DDoS campaign in the current cycle, generating 13,716 attack instances across 148 unique targets and 134 unique IP addresses. Romania emerged as the primary target with 64.5% of attacks (8,852) across 68 targets, while Israel comprised 15.5% (2,129) across 35 targets, Denmark 2.3% (322) across 14 targets, and Greenland 0.7% (96) across seven targets.
The attacks focused heavily on port 443 (HTTPS), which accounted for 93.2% of all traffic, with HTTP GET floods at 55.3% and HTTP POST floods at 34.1%, indicating a sustained L7-dominant strategy using the DDoSia tool. Magam Safety became the single most-attacked host with 460 instances, and Elbit Systems appeared with 30 attacks, underscoring intensified Israeli defense-industrial targeting.
The campaign also saw a notable geographic pivot from Cyprus to Romania, reflecting rapid target-list regeneration and automated C2 capabilities. According to SOCRadar, the threat actor updates target lists with considerable frequency, including 50 JSON target files during the seven-day window and 16 updates on March 20.