Huge Networks DDoS Botnet Exposed: Anti‑DDoS Firm Accused of Fueling Brazilian ISP Attacks

Huge Networks DDoS Botnet Revealed

Security researchers have uncovered that the anti‑DDoS provider Huge Networks was unwittingly hosting a botnet that launched a wave of massive attacks against Brazilian ISPs. The operation relied on compromised TP‑Link Archer AX21 routers vulnerable to CVE‑2023‑1389, exploiting DNS amplification to generate traffic spikes exceeding ↓ 10 Gbps. Python scripts found in an open directory show the attacker scanned the internet for misconfigured DNS servers and IoT devices, then directed traffic from a Digital Ocean droplet flagged for abuse.

How the Botnet Was Built

The leaked archive contained private SSH keys belonging to CEO Erick Nascimento, enabling root access to Huge Networks’ infrastructure. From there, the adversary orchestrated mass scans, harvested vulnerable routers, and launched short‑burst attacks lasting 10‑60 seconds per target. The scripts referenced malicious domains hikylover[.]st and c.loyaltyservices[.]lol, known command‑and‑control points for a Mirai‑derived botnet.

“We received alerts from Tier‑1 upstreams about unprecedented DDoS floods,” Nascimento told KrebsOnSecurity.

Huge Networks claims the breach originated from a January intrusion that compromised a development server and a personal “droplet”. The firm says it has rotated keys, engaged a forensic firm, and reported the incident to Reuters and Bloomberg. The CEO alleges a rival firm is behind the smear campaign, though no evidence has surfaced.

Words by: Kaelen Frost

Lead Cybersecurity Analyst