Anti-DDoS Firm Huge Networks Used as Platform for Botnet Attacks on Brazilian ISPs
A Brazilian DDoS mitigation company, Huge Networks, was unknowingly used as a platform for a botnet that launched massive DDoS attacks against Brazilian ISPs, exploiting TP-Link routers and misconfigured DNS servers.
A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm's chief executive says the malicious activity resulted from a security breach and was likely the work of a competitor trying to tarnish his company's public image.
For the past several years, security experts have tracked a series of massive DDoS attacks originating from Brazil and solely targeting Brazilian ISPs. Until recently, it was less than clear who or what was behind these digital sieges. That changed earlier this month when a trusted source who asked to remain anonymous shared a curious file archive that was exposed in an open directory online. The exposed archive contained several Portuguese-language malicious programs written in Python, along with the private SSH authentication keys belonging to the CEO of Huge Networks.
Founded in Miami, Fla. in 2014, Huge Networks's operations are centered in Brazil. The company originated from protecting game servers against DDoS attacks and evolved into an ISP-focused DDoS mitigation provider. It does not appear in any public abuse complaints and is not associated with any known DDoS-for-hire services. Nevertheless, the exposed archive shows that a Brazil-based threat actor maintained root access to Huge Networks infrastructure and built a powerful DDoS botnet by routinely mass-scanning the Internet for insecure routers and unmanaged DNS servers.
The botnet specifically targeted TP-Link Archer AX21 routers vulnerable to CVE-2023-1389, an unauthenticated command injection vulnerability that was patched back in April 2023. Malicious domains in the exposed Python attack scripts included DNS lookups for hikylover[.]st and c.loyaltyservices[.]lol, both flagged as control servers for an IoT botnet powered by a Mirai malware variant. The leaked archive shows the botmaster coordinated their scanning from a Digital Ocean server that has been flagged for abusive activity hundreds of times in the past year.
The attacks also abused misconfigured DNS servers for amplification attacks. By taking advantage of an extension to the DNS protocol that enables large DNS messages, botmasters can dramatically boost the size and impact of a reflection attack, crafting DNS queries so that the responses are much bigger than the requests. The attacks were strictly limited to Brazilian IP address ranges, with each selected IP address prefix attacked for 10-60 seconds with four parallel processes per host before the botnet moved on to the next target.
Reached for comment, Huge Networks CEO Erick Nascimento said he did not write the attack programs and that he didn't realize the extent of the DDoS campaigns until contacted by KrebsOnSecurity. Nascimento said the unauthorized activity is likely related to a digital intrusion first detected in January 2026 that compromised two of the company's development servers, as well as his personal SSH keys. He said the company wiped the boxes and rotated keys immediately, and has since engaged a third-party network forensics firm to investigate further.
This incident highlights the danger of compromised infrastructure at security firms themselves, which can be turned into powerful platforms for attacks. The use of a known, patched vulnerability (CVE-2023-1389) underscores the importance of timely patch management, especially for internet-exposed devices. The case also demonstrates how attackers can leverage legitimate businesses' resources to launch devastating attacks while remaining hidden behind the company's reputation.