Brazilian DDoS Protection Firm Unwittingly Enabled Massive Botnet Attacks

A Brazilian technology company focused on providing DDoS protection has inadvertently facilitated a series of extensive botnet attacks targeting other Brazilian internet service providers (ISPs). According to sources at KrebsOnSecurity, the firm’s CEO attributes these malicious actions to a security breach, speculating that a competitor may be behind the incidents to harm his company's reputation.

The Investigation

In recent years, security professionals have been monitoring a succession of substantial DDoS attacks that originated from Brazil and aimed solely at Brazilian ISPs. The identity of the perpetrators had remained ambiguous until recently, when an anonymous informant shared an intriguing file archive uncovered in an online directory that was publicly accessible.

This archive contained numerous malicious programs in Portuguese, developed in Python, along with the private SSH authentication keys of the CEO of Huge Networks, a Brazilian ISP primarily focused on DDoS mitigation for other Brazilian network operators.

About Huge Networks

Established in Miami, Florida, in 2014, Huge Networks has centered its operations in Brazil. Initially focused on protecting gaming servers from DDoS attacks, the company has since transitioned into a dedicated DDoS mitigation service provider for ISPs. It has no records of public abuse complaints and does not appear to be affiliated with any recognized DDoS-for-hire services.

The Attack Infrastructure

Despite its legitimate aims, the exposed archive reveals that an antagonist based in Brazil had gained root access to Huge Networks' infrastructure and constructed a formidable DDoS botnet. This was accomplished by systematically scanning the Internet for unsecured routers and unprotected domain name system (DNS) servers that could be utilized in launching attacks.

DNS facilitates user access to websites by enabling the use of familiar domain names instead of their corresponding IP addresses. Typically, DNS servers should only respond to queries from recognized domains. However, attackers exploit "DNS reflection" by targeting misconfigured servers that will respond to requests from any source. By sending falsified DNS queries, they can manipulate servers to direct responses to the intended targets.

Utilizing an extension of the DNS protocol that allows for large response sizes significantly amplifies the impact of reflection attacks. For instance, attackers can send a DNS request of just under 100 bytes, eliciting a response that is up to 70 times larger.

TP-Link Router Exploitation

The shared file archive contains historical command-line entries that illustrate how the attacker established and maintained this potent botnet through the exploitation of TP-Link Archer AX21 routers. The botnet actively seeks out TP-Link devices still vulnerable to CVE-2023-1389, a command injection vulnerability for which a patch was released in April 2023.

Malicious domains referenced in the leaked Python scripts include DNS queries for hikylover[.]st and c.loyaltyservices[.]lol, both of which have previously been identified as command-and-control servers for an IoT botnet using a variant of Mirai malware.

Attack Methodology

The leaked archive indicates that the botmaster orchestrated their scanning operations from a Digital Ocean server, which has been flagged for abusive activities on numerous occasions over the past year. The Python scripts listed multiple IP addresses associated with Huge Networks that were utilized for targeting and executing DDoS campaigns. The assaults exclusively targeted Brazilian IP address ranges, with each affected prefix undergoing attacks lasting between 10 to 60 seconds, employing four simultaneous processes per host before transitioning to the next target.

CEO Response

Furthermore, the archive indicates that the malicious scripts were reliant on the private SSH keys of Huge Networks's CEO, Erick Nascimento. Upon being contacted about the files, Mr. Nascimento stated that he did not create the attack programs and was unaware of the scope of the DDoS campaigns until approached by KrebsOnSecurity.

"We reported and notified various Tier 1 upstream providers regarding significant DDoS attacks against smaller ISPs," Nascimento explained. "At the time, we did not investigate thoroughly enough, and your findings underscore that."

Security Breach Details

Nascimento indicated that the unauthorized activities were likely linked to a digital intrusion identified in January 2026, which compromised two of the company's development servers, including his personal SSH keys. However, he asserted that there is no conclusive evidence suggesting those keys were utilized after January.

"We informed the team in writing on the same day, removed the compromised servers, and rotated the keys," Nascimento recounted, sharing a screenshot of a January 11 notification from Digital Ocean. "All actions are documented internally."

According to Mr. Nascimento, Huge Networks has since enlisted a third-party network forensics firm for a comprehensive investigation.

"Our initial assessment indicates this situation began with a single internal breach — a pivotal point that granted the attacker downstream access to certain resources, including a legacy droplet of mine," he elaborated.

"The breach was executed via a bastion/jump server that was accessible to several personnel," Nascimento added. "Digital Ocean flagged that droplet on January 11, stating it was compromised due to a leaked SSH key — I was abroad at the time and addressed it upon my return. That droplet was decommissioned and eliminated, and it was never integrated into Huge Networks' infrastructure."

Mirai Connection

The botnet that employs the exploited TP-Link devices for the DDoS campaigns targeting Brazilian ISPs is driven by Mirai malware, a strain that first gained global notoriety in September 2016 when it executed a record-breaking DDoS attack that rendered KrebsOnSecurity offline for four consecutive days.