APT / THREAT GROUP

Dosia

3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Infrastructure and programs used for, as its name suggests, DDoSing.

It used to be written in Python, nowadays it's written in Go. Clients:

- Are written in Go. (Used to be written in Python.)

- Do not seem to differ significantly across OS deployments. (Confirmed on Windows, MacOS, Linux, Android)

- Seem to be partly run by NoName themselves.

- Partly also run voluntarily, recruited via dedicated Telegram channels. Participants are rewarded with cryptocurrency. Prints a suggestion to use a VPN for Russia-based launches. (This yields IP-based blocking as rather ineffective, consider behavioral analysis instead.)

Configuration:

- Rotates near-daily. Can be browsed on https://witha.name/ (also reachable via http://withanamemwesdvodfhthjq25a5a3uas24cpgoa7qm6gchcerzpis6qd.onion/).

- Is sent encrypted between C2 and Client.

- Specifies target hostname, subpath, vector protocols, methods, ports, whether SSL is used, headers for HTTP, request bodies.

- Any given config property can be randomly generated with per-use constraints.

- Is provided by a multi-level hierarchy of C2 servers.

Threat Analysis

Dosia is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases3

Also Known As

Dosiawin.dosiaDDOSIA

External Intelligence

Malpedia: win.dosia

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.