MakuluLinux Ships a Persistent Backdoor in Every Installation

Severity: CRITICAL | Disclosure Date: January 28, 2026 | Researcher: Steven Stobo

Summary

            The MakuluLinux operating system installs a binary that establishes a persistent connection to a command-and-control server owned by the developer. This is not a third-party compromise. The backdoor is embedded in the OS installer itself.
        

Evidence Chain

install-script.bin (the OS installer) copies /usr/share/MakuluSetup/files/check.bin to /usr/bin/check.bin

↓

Creates autostart entry disguised as "System Health Check" with 30-second delay

↓

check.bin (9.5MB stripped ELF) establishes persistent TCP connection to 217.77.8.210:2006

↓

That IP resolves to makulu.online — the developer's own domain

↓

Installer error handling references: "One or more critical final file operations (startup/check.bin) failed" — confirming it is a required install component

C2 Infrastructure

Asset	IP	Hosting	Registrant Location
C2 Server	`217.77.8.210:2006`	Contabo GmbH, DE	Germany
makulu.online	`217.77.8.210`	Contabo GmbH	Da Nang, Vietnam
makululinux.eu	`207.180.233.66`	Contabo GmbH	Redacted
makululinux.com	`64.20.42.243`	Trouble-free.net	Eastern Cape, South Africa

            The C2 server and makulu.online resolve to the same IP address (217.77.8.210). This links the backdoor directly to the developer's own infrastructure.
        

Additional Insecure Practices

Update scripts download over plain HTTP (not HTTPS) with no code signing
Downloaded scripts are chmod +x and executed with sudo every 5 minutes
verification.bin phones home to makulu.online:7005 over HTTP
Any man-in-the-middle attacker could inject arbitrary code with root privileges

Developer Attribution

MakuluLinux is developed and maintained by a single individual: Jacque Montague Raymer, operating from Da Nang, Vietnam (previously Eastern Cape, South Africa). The project has been active since 2009.

All server infrastructure (C2, update distribution, AI API proxying, license verification) runs on Contabo GmbH VPS instances registered to the same developer.

Embedded SaaS Platform

Beyond the backdoor, analysis reveals MakuluLinux functions as a delivery vehicle for a centralized AI-as-a-service platform. Over 40 compiled Python binaries proxy requests through the developer's VPS to upstream providers (OpenAI, HuggingFace). The OS is the distribution mechanism; the AI features are the monetized product.

Server Port Map — 217.77.8.210 (makulu.online)

Port	Protocol	Service	Used By
2006	Raw TCP	C2 Backdoor	check.bin
2006	HTTPS	AI chat/ask API	calculator, weather, editor, frames, image-gen
4002	HTTPS	Image processing	image2image
6003	HTTPS	AI chat API	text-image, video, video-gen, log, pie, update-manager
6004	HTTP	AI ask API	song
7005	HTTP	License verification	verification.bin, frames, editor

Port 2006 serves dual purposes: HTTPS for legitimate AI API calls, and raw TCP for the check.bin backdoor. The API is the front-facing service. The raw socket is the undisclosed control channel.

Data Collection

weather.bin geolocates every user via ipinfo.io and ipapi.co before API calls
image2image.bin maintains persistent user sessions on the server
All AI requests route through the developer's server — enabling logging of every prompt, image, and conversation

Remediation

If you are running MakuluLinux, execute the following to neutralize the backdoor and insecure update mechanism:

# Kill the backdoor process
sudo kill $(pgrep -f check.bin)

# Delete the binary and staging copy
sudo rm -f /usr/bin/check.bin /usr/share/MakuluSetup/files/check.bin

# Delete the autostart entry
rm -f ~/.config/autostart/System-Health-Check.desktop

# Block the C2 server
sudo iptables -A OUTPUT -d 217.77.8.210 -j DROP

# Block domains in /etc/hosts
echo "0.0.0.0 makulu.online" | sudo tee -a /etc/hosts
echo "0.0.0.0 makululinux.eu" | sudo tee -a /etc/hosts

# Disable insecure update scripts
sudo chmod -x /usr/share/MakuluSetup/check-patchlist
sudo chmod -x /usr/share/MakuluSetup/update-check
sudo chmod -x /usr/share/MakuluSetup/quick-patch

# Post-remediation: change ALL passwords, regenerate SSH keys,
# and migrate to a trusted Linux distribution.

Update: February 1, 2026 — Update Mechanism Analysis

Additional analysis was performed on a fresh MakuluLinux LinDoz 2026 installation. The update mechanism was examined while actively running on a live system.

Update Loop (update-check)

An infinite loop runs every 5 minutes, calling check-patchlist:

while sleep 5m
do
  /usr/share/MakuluSetup/check-patchlist
done

Script Self-Replacement (check-patchlist)

check-patchlist downloads replacement scripts from the developer's server over plain HTTP with no signature verification:

wget -r -nH -l1 --no-parent --reject "index.html*" \
  http://makululinux.eu/rsync-ubuntu/lindoz-u/patch-number/ \
  /usr/share/MakuluSetup/

The downloaded files overwrite the currently running scripts, including quick-patch and 5-patcher-rsync. This means any code the server delivers will execute with the user's privileges (including sudo) within the next 5-minute cycle. The use of plain HTTP makes this trivially exploitable via man-in-the-middle.

Binary Download with Unrestricted Permissions (quick-patch)

The quick-patch script downloads compiled binaries from makulu.online and sets them to chmod 777 (world-readable, writable, and executable):

smart_sync_file "https://makulu.online/ai/weather/weather.bin" \
  "/usr/share/MakuluSetup/weather/weather.bin" "777"
smart_sync_file "https://makulu.online/ai/calculator/calculator.bin" \
  "/usr/share/MakuluSetup/calculator/calculator.bin" "777"
smart_sync_file "https://makulu.online/ai/image/image-gen.bin" \
  "/usr/share/MakuluSetup/tools/image-gen.bin" "777"

Persistent User Prompt

If the user declines the update prompt, the script retries every 300 seconds indefinitely:

while true; do
  if zenity --question --title="System Updates" \
    --text="New AI system patches are available..."; then
    return 0
  else
    sleep 300
  fi
done

The user cannot permanently dismiss the update. The prompt will continue to appear until accepted.

            Summary of findings: The update mechanism downloads arbitrary scripts over unencrypted HTTP, replaces its own code with whatever the server provides, downloads unsigned binaries with unrestricted permissions, and presents a non-dismissible prompt to the user. This provides the developer with persistent, renewable remote code execution capability on every installation.
        

Analysis conducted on the researcher's own hardware. Scripts preserved as evidence. Remediation applied immediately after documentation.

Full Technical Analysis on GitHub →