Brazilian DDoS Protection Firm Linked to Massive Botnet Attacks

Huge Networks, a Brazilian internet service provider that specializes in providing distributed denial-of-service (DDoS) protection to other network operators, has been linked to a botnet used in a campaign of massive DDoS attacks against other Brazilian ISPs. According to reporting from KrebsOnSecurity, the discovery followed the exposure of a file archive in an open online directory.

The exposed archive contained several Portuguese-language malicious programs written in Python and the private SSH authentication keys of Huge Networks CEO Erick Nascimento. The data indicates that a threat actor based in Brazil maintained root access to the company’s infrastructure to build and manage a powerful botnet.

Technical Execution and Botnet Recruitment

The botnet was constructed by mass-scanning the internet for unmanaged domain name system (DNS) servers and insecure routers. Specifically, the attacker targeted TP-Link Archer AX21 routers that remained vulnerable to CVE-2023-1389, an unauthenticated command injection vulnerability that received a patch in April 2023.

The campaign utilized DNS reflection attacks, a method where attackers send spoofed DNS queries to misconfigured servers. These servers then send their responses to the spoofed address—the target’s network—rather than the attacker. By using a DNS protocol extension that allows for larger messages, the botmaster could achieve a significant amplification effect.

For instance, a DNS request of less than 100 bytes could prompt a response 60-70 times larger. When executed by tens of thousands of compromised devices simultaneously, this creates a massive surge of traffic designed to overwhelm the target.

The malicious Python scripts identified in the archive used multiple IP addresses assigned to Huge Networks to identify targets and execute the campaigns. These attacks were strictly limited to Brazilian IP address ranges. The scripts show that each selected IP address prefix was attacked for 10-60 seconds using four parallel processes per host before the botnet moved to the next target.

The botnet’s software is based on Mirai, a malware strain first appearing in September 2016. The exposed scripts included DNS lookups for c.loyaltyservices[.]lol and hikylover[.]st, both of which were flagged within the year preceding April 2026 as control servers for a Mirai-powered Internet of Things (IoT) botnet.

Corporate Response and Breach Claims

Erick Nascimento denied writing the attack programs and stated he was unaware of the extent of the DDoS campaigns until contacted by KrebsOnSecurity.

“We received and notified many Tier 1 upstreams regarding very very large DDoS attacks against small ISPs,” Nascimento said. “We didn’t dig deep enough at the time, and what you sent makes that clear.”

Erick Nascimento, CEO of Huge Networks

Nascimento attributed the activity to a security breach first detected in January 2026, which compromised his personal SSH keys and two development servers. He provided a screenshot of a January 11, 2026, notification from Digital Ocean, the provider of the server used to coordinate the scanning, which had been flagged for abusive activity hundreds of times in the previous year.

“Our working assessment so far is that this all started with a single internal compromise — one pivot point that gave the attacker downstream access to some resources, including a legacy personal droplet of mine,” he wrote. “The compromise happened through a bastion/jump server that several people had access to.”

Erick Nascimento, CEO of Huge Networks

Nascimento claimed that the compromised Digital Ocean droplet was deprecated and destroyed and was not part of the formal Huge Networks infrastructure. He stated that the company wiped the affected boxes and rotated keys on the day of the January 11 notification.

Allegations of Competitive Sabotage

Nascimento flatly denied the possibility that Huge Networks launched attacks to create demand for its own DDoS protection services. He argued that the targets in the scripts were small regional providers that were not part of the company’s customer base or commercial pipeline.

“We don’t run DDoS attacks against Brazilian operators to sell protection,” Nascimento wrote. “Our sales model is mostly inbound and through channel integrator, distributors, partners — not active prospecting based on market incidents.”

Erick Nascimento, CEO of Huge Networks

The CEO further alleged that the entire operation was the work of a competitor intended to damage the company’s reputation. While he declined to name the rival, he claimed to have strong evidence stored on the blockchain to support the theory.

“I would love to share this with you, but it could not be published as it would lose the surprise factor against my dishonest competitor,” he explained. “Coincidentally or not, your contact happened a week before an important event – ​​one that this competitor has NEVER participated in (and it’s a traditional event in the sector). And this year, they will be participating.”

Erick Nascimento, CEO of Huge Networks

Huge Networks has since engaged a third-party network forensics firm to investigate the incident.