← Back to WeRAI
MakuluLinux Ships a Persistent Backdoor in Every Installation
Severity: CRITICAL | Disclosure Date: January 28, 2026 | Discovered by Steven Stobo (WeRAI / Haven AI)
The MakuluLinux operating system installs a binary that establishes a persistent connection to a command-and-control server owned by the developer. This is not a third-party compromise. The backdoor is embedded in the OS installer itself.
The Evidence Chain
1
install-script.bin (the OS installer) copies /usr/share/MakuluSetup/files/check.bin to /usr/bin/check.bin
↓
2
Creates autostart entry disguised as "System Health Check" with 30-second delay
↓
3
check.bin (9.5MB stripped ELF) establishes persistent TCP connection to 217.77.8.210:2006
↓
4
That IP resolves to makulu.online — the developer's own domain
↓
5
Installer error handling: "One or more critical final file operations (startup/check.bin) failed" — it's a critical install component
Infrastructure
| Asset | IP | Hosting | Registrant |
|---|
| C2 Server | 217.77.8.210:2006 | Contabo GmbH, DE | Germany |
| makulu.online | 217.77.8.210 | Contabo GmbH | Da Nang, Vietnam |
| makululinux.eu | 207.180.233.66 | Contabo GmbH | Redacted |
| makululinux.com | 64.20.42.243 | Trouble-free.net | Eastern Cape, South Africa |
The C2 server and makulu.online are the same IP address (217.77.8.210). This definitively links the backdoor to the developer's own infrastructure.
Additional Insecure Practices
- Update scripts download over plain HTTP (not HTTPS) with no code signing
- Downloaded scripts are
chmod +x and executed with sudo every 5 minutes
verification.bin phones home to makulu.online:7005 over HTTP- Any man-in-the-middle attacker could inject arbitrary code with root privileges
The Developer
★
Jacque Montague Raymer
Sole Developer & Owner — MakuluLinux (since 2009)
Location: Da Nang, Vietnam
Previously: Eastern Cape, South Africa
Email: raymerjacque@gmail.com
"Makulu" means "big chief" in Zulu
One person. Running an update system over HTTP with no signature verification
that auto-executes with sudo every 5 minutes on every installation worldwide.
If You Run MakuluLinux
# Kill the backdoor process
sudo kill $(pgrep -f check.bin)
# Delete the binary and staging copy
sudo rm -f /usr/bin/check.bin /usr/share/MakuluSetup/files/check.bin
# Delete the autostart
rm -f ~/.config/autostart/System-Health-Check.desktop
# Block the C2 server
sudo iptables -A OUTPUT -d 217.77.8.210 -j DROP
# Block domains in /etc/hosts
echo "0.0.0.0 makulu.online" | sudo tee -a /etc/hosts
echo "0.0.0.0 makululinux.eu" | sudo tee -a /etc/hosts
# Disable update scripts
sudo chmod -x /usr/share/MakuluSetup/check-patchlist
sudo chmod -x /usr/share/MakuluSetup/update-check
sudo chmod -x /usr/share/MakuluSetup/quick-patch
# Then: change ALL passwords, regenerate SSH keys,
# and migrate to a trusted Linux distribution.
Full Technical Disclosure on GitHub →
Why This Matters
The Real Game: A SaaS Trojan Horse
MakuluLinux is not just an OS with a backdoor. It's a delivery vehicle for a centralized AI-as-a-service platform. Every "AI feature" — all 40+ compiled Python binaries — proxies requests through the developer's single Contabo VPS. The free OS is the funnel. The AI features are the product. The backdoor is the control plane.
Server Port Map — 217.77.8.210 (makulu.online)
| Port | Protocol | Service | Used By |
|---|
| 2006 | Raw TCP | C2 Backdoor | check.bin ONLY |
| 2006 | HTTPS | AI chat/ask API | calculator, weather, editor, frames, image-gen |
| 4002 | HTTPS | Image processing | image2image |
| 6003 | HTTPS | AI chat API | text-image, video, video-gen, log, pie, update-manager |
| 6004 | HTTP | AI ask API | song |
| 7005 | HTTP | License verification | verification.bin, frames, editor |
The Scheme
1
Free Linux distro = the funnel. User acquisition through a "free OS with AI features."
↓
2
AI features = the product. 40+ tools are thin GUIs proxying to OpenAI, HuggingFace via Raymer's server. He's the undisclosed middleman.
↓
3
Pro vs Free = monetization. verification.bin enforces licensing. expired.bin redirects to token.html to buy access. video.bin has a paywall.
↓
4
check.bin = command channel. AI tools use HTTPS to port 2006. check.bin uses raw TCP to the same port. Different protocol, same port. The API is the front. The socket is the back door.
↓
5
HTTP updates = total control. Push any binary to any machine, anytime, with root execution. No consent, no verification.
Data Harvesting
weather.bin geolocates every user via ipinfo.io and ipapi.co before API callsimage2image.bin maintains persistent user sessions on the server- All AI requests route through Raymer's server — he can log every prompt, every image, every conversation
One guy in Da Nang, Vietnam, running a SaaS business disguised as a free Linux distro, with a persistent backdoor on every installation, off a single VPS in Germany.
This is exactly why the Human Router architecture exists. In a world where you cannot even trust your operating system vendor, every decision — every execution — needs a governance gate.
D = G × S. If G ≠ 1, D = 0. No action is routed without verified authority. No exceptions.
They sowed the wind. Let them reap the whirlwind.