He Study on the evolution of the Distributed Dimencia Attacks (DDOS) of Netscoutmade from the Supervision of more than 8 million ddos attacks In the world during the first six months of 2025 (of them more than 3.2 million in EMEA), it shows an evolution of this type of threats, which has caused them to become precision weapons with geopolitical influence capable of destabilizing infrastructure considered critical.
Groups of attackers, such as noname057 (16), were in charge of the orchestration of hundreds of coordinated attacks every month, mainly aimed at the communications, transport, energy and defense sectors. That is, to critical infrastructure. DDOS services on commission have approached the attack tools, which allows rookie cybercounts to carry out attack campaigns without practically knowledge to do so.
Automation promoted by AI, multivectorial attacks and intensive bombing techniques of this type of attacks pose difficulties to traditional defenses. This, added to the Bots networks that are dedicated to DDOS attacks committed during the period studied tens of thousands of IoT devices, servers and routers, launching sustained attacks and causing great impact disturbances.
Each of these elements is already dangerous independently, but combined have generated a high risk for organizations and networks of service providers around the world. Netscout observed more than 50 attacks superior to a Terabit per second (TBPS) and multiple gigapaquetes attacks per second (GPPS) in the first half of 2025. Among them. A 3.12 TBPS attack in the Netherlands and one of 1.5 GPPS in the United States
Geopolitical events triggered unprecedented ddos attacks. Among them, the conflict between India and Pakistan, which caused groups of hackivists to attack the Indian government and the financial sector in May. In addition, the conflict between Iran and Israel generated more than 15,000 attacks against Iran and 279 against Israel in June.
Botnets -driven attacks are increasingly sophisticated. In March there were more than 880 ddos attacks driven by bots per day, with a peak of 1600 incidents, and the duration of the attacks increased to an average of 18 minutes.
In the period studied by Netscout, new malicious actors appeared. Like Dienet, which, taking advantage of the infrastructure of rental ddos, orchestrated more than 60 attacks since March, while Keymous+ launched 73 attacks in 28 industrial sectors from 23 countries.
The most active group remained the aforementioned Noname057 (16), recently regularly, and with more than 475 attacks only in March, 337 % more than the next most active group. Its members attacked government websites in Spain, Taiwan and Ukraine.
Richard Hummel, Netcout Threat Intelligence Directorrecalled that «As hacktivist groups take advantage of greater automation, shared infrastructure and evolving tactics, organizations must recognize that traditional defenses are no longer enough. The integration of AI attendees and the use of large language models (LLM), such as Wormgpt and Fraudgpt, increase that concern. And, although the recent disarticulation of noname057 (16) managed to temporarily reduce the activities of the group’s bots network, it is not guaranteed that it does not become the main hacktive threat ddos in the future. Organizations need proven and intelligence based defenses that can face the sophisticated attacks we see today today«.
