Article 273 of the Criminal Code of the Russian Federation gives signs of a malicious computer program - the program must perform certain actions with computer information (modification, copying, blocking, destruction), moreover, knowingly and unauthorized. Knowingly - due to the properties of the program itself, not as a result of an error (bug); unauthorized - without the permission and against the will of the person authorized to allow or prohibit certain actions with information (in accordance with the current legislation, such a person is the owner of the information, i.e., in most cases, the computer user). Thus, if a program launches a DDoS attack without the permission of the user (on whose computer this program is running), then it is malicious, since it is deliberately designed to block computer information without authorization. If with permission it's not malicious. Such permission can be obtained by entering certain data into the program (by pressing a button in the interface, entering a command line key, etc.; any interactivity of the program's actions with information excludes its harmfulness, except when the malicious functionality is disguised as another and the user, clicking on some button does not get the result that was expected).
JS LIOC, according to the description (didn't use it myself :-)), requires receiving a command for a DDoS attack from the user (by clicking on the corresponding button), therefore it is not a malicious computer program. However, hosting this program on your server may form a different corpus delicti, but here you already need to understand the motives and goals in each specific case.
Additional reading ;-)

IMHO it depends a lot on which side the lawyer is better on.

"originally designed for stress testing websites."
That is, the script is already obviously not intended for illegal actions.
Further, the main question - did you use it for counter-propaganda actions? If used, it is a crime.