For years, security experts have been tracking a series of significant DDoS attacks originating from Brazil, exclusively targeting Brazilian ISPs. Recent findings have shed light on the potential source: a compromised infrastructure within **Huge Networks**. ### Exposed Archive Reveals SSH Keys and Botnet Activity An exposed file archive contained malicious programs written in Python and the private SSH authentication keys belonging to **Erick Nascimento**, CEO of **Huge Networks**. This discovery suggests that a threat actor gained root access to **Huge Networks** infrastructure and built a powerful DDoS botnet by scanning the Internet for vulnerable routers and DNS servers. ### DNS Amplification Attacks The botnet leverages DNS amplification attacks to maximize impact. By exploiting misconfigured DNS servers that accept queries from any source, attackers can send spoofed requests that appear to originate from the target's network. This results in the DNS servers responding to the targeted address with amplified responses, overwhelming the victim's network.  ### Targeting TP-Link Routers The exposed archive includes a command-line history detailing how the attacker built and maintained the botnet by scanning for vulnerable **TP-Link Archer AX21** routers. The botnet specifically targets devices vulnerable to **CVE-2023-1389**, an unauthenticated command injection vulnerability patched in April 2023.  Malicious domains associated with the attack scripts, such as hikylover[.]st and c.loyaltyservices[.]lol, have been previously flagged as control servers for IoT botnets powered by **Mirai malware** variants. ### Huge Networks' Response **Erick Nascimento** acknowledged the intrusion, stating that the unauthorized activity is likely related to a security breach detected in January 2026. He claims that two of the company's development servers and his personal SSH keys were compromised. However, he maintains that there is no evidence the keys were used after January and that the company has engaged a third-party forensics firm to investigate. He also denied any involvement in DDoS attacks against Brazilian operators to boost his company's business. Nascimento suggests that a competitor may be behind the attacks, attempting to tarnish **Huge Networks**' reputation. He claims to have evidence stored on the blockchain supporting this theory. ### Mirai's Legacy The botnet's software is based on **Mirai**, a malware strain known for launching record-breaking DDoS attacks. **Mirai** has a history of being used by DDoS mitigation firms to attack gaming servers and acquire new clients.