Brazilian Anti-DDoS Firm Implicated in Attacks
A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, according to a recent investigation.
The firm, Huge Networks, offers DDoS protection to other Brazilian network operators and has been linked to a series of massive DDoS attacks originating from Brazil and solely targeting Brazilian ISPs. The company's chief executive, Erick Nascimento, claims that the malicious activity resulted from a security breach and was likely the work of a competitor trying to tarnish his company's public image.
Security Breach and Botnet Activity
A trusted source shared a curious file archive that was exposed in an open directory online, containing several Portuguese-language malicious programs written in Python, as well as the private SSH authentication keys belonging to Nascimento. The exposed archive shows that a Brazil-based threat actor maintained root access to Huge Networks infrastructure and built a powerful DDoS botnet by routinely mass-scanning the Internet for insecure Internet routers and unmanaged domain name system (DNS) servers on the Web that could be enlisted in attacks.
The botnet seeks out TP-Link devices that remain vulnerable to CVE-2023-1389, an unauthenticated command injection vulnerability that was patched back in April 2023. Malicious domains in the exposed Python attack scripts included DNS lookups for hikylover[.]st, and c.loyaltyservices[.]lol, both domains that have been flagged in the past year as control servers for an Internet of Things (IoT) botnet powered by a Mirai malware variant.
Investigation and Response
Nascimento said that the unauthorized activity is likely related to a digital intrusion first detected in January 2026 that compromised two of the company's development servers, as well as his personal SSH keys. However, he claimed that there's no evidence those keys were used after January and that the company has since engaged a third-party network forensics firm to investigate further.
Nascimento denied being involved in DDoS attacks against Brazilian operators to generate business for his company's services, stating that the company's sales model is mostly inbound and through channel integrator, distributors, partners — not active prospecting based on market incidents. He also claimed to have strong evidence stored on the blockchain that the attacks were carried out by a competitor, but refused to disclose the competitor's identity.
Mirai Malware and DDoS Attacks
The malicious software that powers the botnet of TP-Link devices used in the DDoS attacks on Brazilian ISPs is based on Mirai, a malware strain that made its public debut in September 2016 by launching a then record-smashing DDoS attack. In January 2017, KrebsOnSecurity identified the Mirai authors as the co-owners of a DDoS mitigation firm that was using the botnet to attack gaming servers and scare up new clients.
In May 2025, KrebsOnSecurity was hit by another Mirai-based DDoS that Google called the largest attack it had ever mitigated. The report implicated a 20-something Brazilian man who was running a DDoS mitigation company as well as several DDoS-for-hire services that have since been seized by the FBI.
Conclusion
The incident highlights the importance of security measures and the potential consequences of a security breach. It also raises questions about the involvement of competitors in cyber attacks and the use of Mirai malware in DDoS attacks.
Source: Krebs on Security