DDoS Botnet and DNS Amplification: The Case of Brazilian ISPs

A threat actor compromised Huge Networks' infrastructure to build a DDoS botnet against Brazilian ISPs, exploiting CVE-2023-1389 and DNS reflection.

DDoS Botnet and DNS Amplification: The Case of Brazilian ISPs

In April 2026, an anonymous source shared an exposed online archive containing malicious programs in Portuguese and the private SSH keys of Huge Networks CEO, Erick Nascimento. The archive revealed that a Brazil-based threat actor maintained root access to the anti-DDoS security provider's infrastructure to build a powerful DDoS botnet, scanning insecure routers and unmanaged DNS servers.

The Internal Compromise of Huge Networks

In January 2026, Huge Networks detected a digital intrusion that compromised two company development servers and CEO Erick Nascimento's personal SSH keys. On January 11, 2026, Digital Ocean notified Nascimento of the compromise of a personal droplet due to a leaked SSH key.

The Attack Mechanics: DNS Reflection and IoT Vulnerabilities

In March 2026, attackers targeted regional ISPs in Brazil, making telcos the number one DDoS target globally. The attacks were strictly limited to Brazilian IP address ranges. The threat actor's modus operandi relied on two main vectors: the exploitation of insecure IoT devices and DNS amplification and reflection attacks.

To build the DDoS botnet, the attacker scanned TP-Link Archer AX21 routers vulnerable to CVE-2023-1389, an unauthenticated command injection vulnerability for which TP-Link had already released a patch in April 2023. Over the past year, the domains hikylover[.]st and c.loyaltyservices[.]lol were reported as command-and-control servers for a Mirai variant of this IoT botnet.

Parallelly, the botnet exploited unmanaged and misconfigured DNS servers to conduct DNS amplification and reflection attacks.

The Historical Parallel with the Creators of the Mirai Malware

The Huge Networks case echoes a historical paradox in cybersecurity. In September 2016, the Mirai malware made its public debut by launching a record DDoS attack. In January 2017, KrebsOnSecurity identified the authors of Mirai as co-owners of a DDoS mitigation company, a parallel to the current situation where an anti-DDoS company's infrastructure is being exploited for attacks. The Mirai threat persists: in May 2025, KrebsOnSecurity was hit by another Mirai-based DDoS attack.

Frequently Asked Questions

How was the Huge Networks anti-DDoS infrastructure compromised?
In January 2026, Huge Networks detected a digital intrusion that compromised two development servers and the CEO's SSH keys. On January 11, 2026, Digital Ocean notified the CEO of the compromise of a personal droplet due to a leaked SSH key.
How do the DNS reflection attacks used against Brazilian ISPs work?
The botnet exploited unmanaged and misconfigured DNS servers to conduct DNS amplification and reflection attacks, strictly limiting the attacks to Brazilian IP address ranges.
Which IoT devices were exploited for the Brazilian DDoS botnet?
The threat actor scanned and compromised TP-Link Archer AX21 routers vulnerable to CVE-2023-1389, an unauthenticated command injection vulnerability for which a patch had already existed since April 2023.

This article is a summary based exclusively on the listed sources.

Sources