Protection or Predation? Brazilian DDoS Mitigation Firm Accused of Running Massive Botnet
In a stark irony of the cybersecurity world, a firm dedicated to protecting networks from Distributed Denial-of-Service (DDoS) attacks is now accused of enabling the extremely chaos it claims to prevent. Huge Networks, a Brazilian ISP specializing in DDoS mitigation, has been linked to a massive botnet campaign targeting other network operators across Brazil.
The revelations come after a leaked file archive exposed the inner workings of a digital siege, revealing that the tools used to crash competing networks may have been operated using the private credentials of the company’s own leadership.
The Evidence: A Leaked Blueprint for Chaos
The controversy erupted when a trusted anonymous source shared a file archive found in an open online directory. This archive didn’t just contain malicious code; it provided a roadmap of the attack infrastructure. The files included several Portuguese-language malicious programs written in Python and, most damagingly, the private SSH authentication keys belonging to Erick Nascimento, the CEO of Huge Networks.
Analysis of the archive shows that a threat actor maintained root access to Huge Networks’ infrastructure. From this vantage point, the attacker built a powerful botnet by mass-scanning the internet for insecure routers and unmanaged Domain Name System (DNS) servers to enlist in coordinated attacks.
Technical Deep Dive: How the Botnet Operated
The operation relied on a combination of outdated hardware vulnerabilities and a classic network exploitation technique known as DNS amplification.
Exploiting the TP-Link Archer AX21
The botnet specifically targeted the TP-Link Archer AX21 router. Rather than using a sophisticated “zero-day” exploit, the attackers leveraged CVE-2023-1389, an unauthenticated command injection vulnerability. Although a patch for this flaw was released in April 2023, many users failed to update their devices, leaving them open to exploitation.
The Mechanics of DNS Amplification
To maximize the impact of the attacks, the botnet used “DNS reflection” and amplification. Here is how the process works:
- Spoofing: Attackers send DNS queries to misconfigured servers, but they spoof the return address so the request appears to come from the victim’s network.
- Amplification: By using specific DNS protocol extensions, attackers craft small requests (under 100 bytes) that trigger massive responses (60-70 times larger).
- Overwhelming the Target: When tens of thousands of compromised devices send these spoofed requests simultaneously, the victim’s network is flooded with massive amounts of unsolicited data, knocking it offline.
The malicious Python scripts used domains such as hikylover[.]st and c.loyaltyservices[.]lol, both previously flagged as control servers for an Internet of Things (IoT) botnet powered by a variant of the Mirai malware.
The Defense: Breach or Betrayal?
Erick Nascimento has flatly denied orchestrating the attacks to generate business for Huge Networks. He maintains that the company’s sales model is based on inbound leads and partners, not on creating market incidents to scare clients into buying protection.
Nascimento attributes the malicious activity to a digital intrusion detected in January 2026. According to the CEO, two development servers and his personal SSH keys were compromised via a bastion/jump server. He claims the specific “droplet” (a virtual server) used to coordinate the scanning was a legacy personal account that was deprecated and destroyed, and was never part of the official Huge Networks infrastructure.
Nascimento asserts he has “strong evidence stored on the blockchain” that the entire operation was the work of a “dishonest competitor” intending to tarnish the company’s image ahead of a major industry event.
A Recurring Pattern: The Mirai Legacy
The malware powering this botnet is based on Mirai, a notorious strain that first appeared in September 2016. Mirai’s history is riddled with instances of “protection” firms using the malware for profit. In 2017, it was revealed that the authors of Mirai were co-owners of a DDoS mitigation firm using the botnet to attack gaming servers to attract new clients.
More recently, in May 2025, a Mirai-based attack—described by Google as the largest it had ever mitigated—was linked to a Brazilian man who operated both a DDoS mitigation company and several DDoS-for-hire services.
Key Takeaways for Network Administrators
- Patch IoT Devices: The use of CVE-2023-1389 proves that old vulnerabilities remain viable targets. Update all router firmware immediately.
- Secure DNS Configurations: Ensure DNS servers are not configured as “open resolvers” to prevent them from being used in amplification attacks.
- Rotate SSH Keys: Regularly rotate private keys and avoid using personal keys on production or development servers.
- Audit Access: Implement strict access controls on bastion and jump servers to prevent lateral movement during a breach.
Conclusion
Whether this campaign was the result of a calculated corporate strategy or a sophisticated frame-job by a competitor, it highlights a systemic vulnerability in the IoT ecosystem. The reliance on unpatched consumer hardware continues to provide attackers with the raw power needed to destabilize regional internet infrastructure. As the line between security providers and threat actors continues to blur, rigorous third-party auditing and transparent security practices are no longer optional—they are essential for trust in the digital economy.