CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Compromised DDoS Mitigation Provider’s Infrastructure Used to Operate Mirai-based Botnet Targeting Brazilian ISPs

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A Brazilian DDoS mitigation provider, Huge Networks, had its infrastructure compromised to operate a Mirai-based botnet targeting Brazilian ISPs with large-scale reflection and amplification attacks. The botnet leveraged TP-Link Archer AX21 routers vulnerable to CVE-2023-1389 (patched April 2023) and DNS reflection/amplification techniques to generate high-volume traffic solely against Brazilian IP ranges. Attack scripts and private SSH keys belonging to the company’s CEO were exposed in an open directory, revealing coordinated scanning and DDoS operations over the past several years.

Timeline

  1. 30.04.2026 17:04 1 articles · 3h ago

    Huge Networks infrastructure compromised to power Mirai-based DDoS botnet against Brazilian ISPs

    Between late 2023 and early 2026, threat actors compromised Huge Networks’ infrastructure and used it to build and operate a Mirai-based botnet. The botnet targeted Brazilian ISPs using DNS reflection and amplification attacks, leveraging CVE-2023-1389 in TP-Link Archer AX21 routers. Malicious scripts and the CEO’s private SSH keys were exposed in an open directory, revealing coordinated scanning and attack execution against Brazilian IP ranges. The compromise was first detected in January 2026 and attributed to a leaked SSH key on a legacy Digital Ocean droplet accessed via a shared bastion server.

    Show sources
    Open in new tab

Information Snippets

  • Huge Networks’ infrastructure was compromised to build and operate a Mirai-based botnet targeting Brazilian ISPs with DDoS attacks.

    First reported: 30.04.2026 17:04
    1 source, 1 article
    Show sources

  • The botnet exploited TP-Link Archer AX21 routers vulnerable to CVE-2023-1389, an unauthenticated command injection flaw patched in April 2023.

    First reported: 30.04.2026 17:04
    1 source, 1 article
    Show sources

  • Attack scripts included DNS lookups to control servers hikylover[.]st and c.loyaltyservices[.]lol, previously associated with a Mirai variant IoT botnet.

    First reported: 30.04.2026 17:04
    1 source, 1 article
    Show sources

  • Attacks were limited to Brazilian IP address ranges, with each target subjected to 10–60 seconds of DDoS activity using four parallel processes before moving to the next victim.

    First reported: 30.04.2026 17:04
    1 source, 1 article
    Show sources

  • The CEO’s private SSH keys were used in the attack scripts, and the compromise is believed to have originated from a leaked SSH key on a legacy Digital Ocean droplet accessed via a bastion/jump server.

    First reported: 30.04.2026 17:04
    1 source, 1 article
    Show sources

  • The first detected compromise occurred in January 2026, with compromised development servers and personal infrastructure wiped and keys rotated immediately.

    First reported: 30.04.2026 17:04
    1 source, 1 article
    Show sources

  • Huge Networks denies orchestrating attacks to solicit business and claims evidence points to a competitor’s involvement, citing timing and participation in a sector event.

    First reported: 30.04.2026 17:04
    1 source, 1 article
    Show sources