Inside the DDoS attacks on Brazilian ISPs: How an anti‑DDoS firm became the weapon

DDoS attacks on Brazilian ISPs

A Brazilian security firm that markets DDoS mitigation services was found to be the launchpad for a massive botnet that powered recent DDoS attacks on Brazilian ISPs, according to a deep‑dive by KrebsOnSecurity. The firm’s CEO says a breach – likely staged by a rival – compromised private SSH keys and allowed attackers to scan for vulnerable TP‑Link Archer AX21 routers (CVE‑2023‑1389) and open DNS resolvers. Python scripts in a publicly exposed archive reveal automated mass‑scanning, spoofed DNS queries and ↓ 12% success rates in hijacking IoT devices. The malicious code invoked domains hikylover[.]st and c.loyaltyservices[.]lol, known control points for a Mirai‑derived botnet. Coordination stemmed from a DigitalOcean droplet repeatedly flagged for abuse – Reuters reported similar incidents last year.

“We received and notified many Tier 1 upstreams regarding very very large DDoS attacks against small ISPs,” the CEO told KrebsOnSecurity.

He asserts the intrusion began with a compromised bastion server in January 2026, prompting a swift wipe, key rotation and engagement of a third‑party forensics team. No evidence links the stolen keys to subsequent attacks, and the firm denies fabricating traffic to sell protection. Analysts warn that the episode highlights the fragility of supply‑chain security in the DDoS mitigation market and the persistent threat of Mirai‑style malware. Bloomberg notes that Brazil remains a hotspot for botnet recruitment due to lax router firmware updates.