MALWARE FAMILY

Dosia

Internal ID: win.dosia
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Infrastructure and programs used for, as its name suggests, DDoSing.

It used to be written in Python, nowadays it's written in Go. Clients:

- Are written in Go. (Used to be written in Python.)

- Do not seem to differ significantly across OS deployments. (Confirmed on Windows, MacOS, Linux, Android)

- Seem to be partly run by NoName themselves.

- Partly also run voluntarily, recruited via dedicated Telegram channels. Participants are rewarded with cryptocurrency. Prints a suggestion to use a VPN for Russia-based launches. (This yields IP-based blocking as rather ineffective, consider behavioral analysis instead.)

Configuration:

- Rotates near-daily. Can be browsed on https://witha.name/ (also reachable via http://withanamemwesdvodfhthjq25a5a3uas24cpgoa7qm6gchcerzpis6qd.onion/).

- Is sent encrypted between C2 and Client.

- Specifies target hostname, subpath, vector protocols, methods, ports, whether SSL is used, headers for HTTP, request bodies.

- Any given config property can be randomly generated with per-use constraints.

- Is provided by a multi-level hierarchy of C2 servers.

Threat Analysis

Dosia is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.dosia

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.