Brazilian DDoS Protection Firm’s Infrastructure Used to Launch Massive Botnet Attacks

A security breach involving a Brazilian DDoS protection firm has exposed a massive botnet campaign targeting internet service providers across Brazil. The incident centers on Huge Networks, a company specializing in network defense, whose infrastructure was reportedly used to launch a series of coordinated digital sieges against other network operators.

The revelation came after a file archive was discovered in an open online directory. This archive contained Portuguese-language malicious programs written in Python and, crucially, the private SSH authentication keys belonging to the CEO of Huge Networks. The data suggests that a threat actor maintained root access to the company’s infrastructure, utilizing it to scan the internet for vulnerable hardware to enlist in a powerful botnet.

Erick Nascimento, the CEO of Huge Networks, has denied any corporate involvement in the attacks. He attributes the activity to a security compromise and suggests the campaign may have been an attempt by a competitor to damage his company’s reputation. The botnet’s operations specifically targeted Brazilian IP address ranges, utilizing a combination of compromised routers and DNS amplification techniques to maximize the impact of the attacks.

This case highlights a recurring and dangerous trend in the cybersecurity landscape: the “protection racket” model, where firms offering DDoS mitigation are themselves implicated in launching attacks to create a market for their services. While Nascimento denies this motive, the technical infrastructure used in these attacks bears a striking resemblance to the Mirai malware, a notorious strain that has historically been linked to DDoS mitigation providers.

The Mechanics of the Botnet: Mirai and TP-Link Vulnerabilities

The botnet responsible for the attacks was built by scouring the internet for specific hardware vulnerabilities. According to the exposed command-line history, the attacker focused on TP-Link Archer AX21 routers. Specifically, the botnet sought out devices that remained vulnerable to CVE-2023-1389, an unauthenticated command injection vulnerability that TP-Link patched in April 2023.

The Mechanics of the Botnet: Mirai and TP-Link Vulnerabilities
Launch Massive Botnet Attacks Brazilian Mirai
An Archer AX21 router from TP-Link. Image: tp-link.com.

The software powering this network is based on Mirai, a malware strain that first gained global notoriety in September 2016. Mirai specializes in compromising Internet of Things (IoT) devices, turning them into “bots” that can be commanded to flood a target with traffic. In this specific campaign, the attacker used Python scripts and coordinated the scanning via a Digital Ocean server that has been flagged for abusive activity hundreds of times over the past year.

The scripts identified targets within Brazilian IP ranges and executed attacks that lasted between 10 and 60 seconds, utilizing four parallel processes per host before shifting to the next target. This rapid-fire approach allows attackers to disrupt multiple services quickly without maintaining a prolonged presence on a single target that might trigger more aggressive automated defenses.

DNS Amplification: Turning Minor Queries into Digital Tsunamis

Beyond the apply of compromised routers, the attacker employed a technique known as DNS reflection and amplification. The Domain Name System (DNS) is the internet’s directory, translating human-readable domain names into IP addresses. In a reflection attack, the perpetrator sends a spoofed DNS query to a misconfigured DNS server, making it appear as though the request came from the victim’s network.

The “amplification” occurs when the attacker crafts a request that prompts a response significantly larger than the original query. For instance, a request of less than 100 bytes can trigger a response 60 to 70 times larger. When tens of thousands of compromised devices send these spoofed requests simultaneously, the resulting flood of traffic can overwhelm even robust network infrastructures.

A DNS amplification attack illustration
A DNS amplification and reflection attack, illustrated. Image: veracara.digicert.com.

This method is particularly effective due to the fact that it leverages legitimate internet infrastructure (DNS servers) to hide the attacker’s true origin while multiplying the volume of traffic hitting the target. For Brazilian ISPs, who were the sole targets of this campaign, this resulted in massive surges of traffic that could lead to significant service outages for end-users.

The Defense: A Compromised CEO and a “Dishonest Competitor”

The connection to Huge Networks was established through the discovery of private SSH keys belonging to Erick Nascimento. SSH keys are used for secure remote access to servers; if stolen, they provide an attacker with a “skeleton key” to the infrastructure.

Nascimento claims the activity is the result of a digital intrusion first detected in January 2026. According to the CEO, two development servers and his personal SSH keys were compromised. He states that the company notified the relevant teams and rotated keys on January 11, 2026, after Digital Ocean flagged a “droplet” (a virtual private server) for being compromised.

RosNet Offers DDoS Protection Services to Customers & Secures its Own Infrastructure with DefensePro

“Our working assessment so far is that this all started with a single internal compromise — one pivot point that gave the attacker downstream access to some resources, including a legacy personal droplet of mine,” Erick Nascimento, CEO of Huge Networks

Nascimento further asserts that the compromise happened through a bastion or “jump” server that multiple people could access. He maintains that the specific server flagged by Digital Ocean was a deprecated personal asset and was never part of the official Huge Networks infrastructure. He has since engaged a third-party network forensics firm to conduct a deeper investigation into the breach.

The CEO has flatly denied the allegation that Huge Networks launched these attacks to generate business. He argues that the targets—small regional providers—are not part of the company’s customer base or commercial pipeline. Nascimento claims he possesses strong evidence stored on the blockchain proving that the attacks were orchestrated by a competitor. He declined to name the competitor, stating that doing so would remove the surprise factor ahead of an upcoming industry event.

Why This Matters: The Risks of “DDoS-for-Hire” and Infrastructure Abuse

This incident underscores the critical vulnerability of the global internet ecosystem to IoT botnets. When routers—like the TP-Link Archer AX21—remain unpatched, they turn into weapons in the hands of threat actors. The fact that a vulnerability patched in April 2023 was still being exploited in 2026 highlights a persistent gap in consumer hardware maintenance.

the use of a DDoS protection firm’s own infrastructure to launch attacks is a recurring theme in cybercrime. In January 2017, the original authors of Mirai were identified as co-owners of a DDoS mitigation firm who used the botnet to attack gaming servers to scare potential clients into buying their protection services. Similarly, in May 2025, a Brazilian man running a DDoS mitigation company was implicated in a near-record 6.3 Tbps attack before his services were seized by the FBI.

For the average user and small ISP, this situation serves as a reminder that security is only as strong as the weakest link. Whether it is a leaked SSH key on a “legacy droplet” or an unpatched router in a home office, these gaps provide the entry points necessary for large-scale disruption.

Key Technical Summary

Summary of the Huge Networks Botnet Campaign
Component Detail
Primary Malware Mirai variant
Targeted Hardware TP-Link Archer AX21 (via CVE-2023-1389)
Attack Method DNS Reflection and Amplification
Primary Targets Brazilian Internet Service Providers (ISPs)
Key Compromise CEO’s private SSH authentication keys

The next phase of this investigation will likely depend on the findings of the third-party network forensics firm hired by Huge Networks. If the evidence on the blockchain mentioned by Nascimento is ever made public, it could shift the focus from a security failure to a case of corporate espionage and sabotage.

Do you use TP-Link or other IoT devices in your network? Ensure your firmware is updated to the latest version to avoid becoming part of a botnet. We welcome your thoughts and experiences with network security in the comments below.

Leave a Comment