Inside the Botnet: How DDoS attacks on Brazilian ISPs Were Fueled by an Anti‑DDoS Firm

DDoS attacks on Brazilian ISPs: Inside the Botnet

Security researchers have uncovered that a Miami‑born anti‑DDoS provider, Huge Networks, was unwittingly the backbone of a massive botnet that bombarded Brazilian internet service providers earlier this year. Hundreds of gigabits per second of traffic – ↓ 1,200 Gbps – were generated by compromised TP‑Link Archer AX21 routers exploiting CVE‑2023‑1389, a command‑injection flaw patched in April 2023.

The leak, first reported by KrebsOnSecurity, included Python scripts, private SSH keys belonging to CEO Erick Nascimento, and a DigitalOcean droplet flagged for abuse. The scripts scanned the global address space for vulnerable routers and open DNS resolvers, then launched DNS‑reflection attacks that amplified sub‑100‑byte queries into megabyte responses, a technique detailed by Reuters.

According to the recovered command history, the botnet targeted only IP ranges assigned to Brazil, hammering each prefix for 10‑60 seconds with four parallel processes before moving on. The malicious domains hikylover[.]st and c.loyaltyservices[.]lol, previously linked to Mirai‑derived IoT botnets, served as control points.

“We were notified of massive DDoS spikes, but the depth of the compromise only emerged after the files were shared,” Nascimento told Krebs.

Nomeclature suggests the breach began with a single compromised bastion host in January 2026, granting the attacker access to legacy personal droplets and, ultimately, to the private keys used to authenticate to Huge Networks infrastructure. The CEO insists the operation was the work of a rival firm seeking to damage his reputation, claiming “strong evidence stored on the blockchain” but refusing to disclose the competitor.

While Huge Networks says it has engaged a third‑party forensics team and rotated all credentials, the episode revives concerns about the fragility of IoT security and the ease with which Mirai‑family malware can be repurposed for regional attacks. As regulators debate nuclear policy, the cyber‑security community watches Brazil’s ISPs brace for further disruptions.

Intel provided by: Nova Stirling

Aerospace & Space Tech Correspondent