Severity: CRITICAL | Disclosure Date: January 28, 2026 | Discovered by Steven Stobo (WeRAI / Haven AI)
The MakuluLinux operating system installs a binary that establishes a persistent connection to a command-and-control server owned by the developer. This is not a third-party compromise. The backdoor is embedded in the OS installer itself.
The Evidence Chain
1
install-script.bin (the OS installer) copies /usr/share/MakuluSetup/files/check.bin to /usr/bin/check.bin
↓
2
Creates autostart entry disguised as "System Health Check" with 30-second delay
↓
3
check.bin (9.5MB stripped ELF) establishes persistent TCP connection to 217.77.8.210:2006
↓
4
That IP resolves to makulu.online — the developer's own domain
↓
5
Installer error handling: "One or more critical final file operations (startup/check.bin) failed" — it's a critical install component
Infrastructure
| Asset | IP | Hosting | Registrant |
|---|---|---|---|
| C2 Server | 217.77.8.210:2006 | Contabo GmbH, DE | Germany |
| makulu.online | 217.77.8.210 | Contabo GmbH | Da Nang, Vietnam |
| makululinux.eu | 207.180.233.66 | Contabo GmbH | Redacted |
| makululinux.com | 64.20.42.243 | Trouble-free.net | Eastern Cape, South Africa |
The C2 server and makulu.online are the same IP address (217.77.8.210). This definitively links the backdoor to the developer's own infrastructure.
Additional Insecure Practices
- Update scripts download over plain HTTP (not HTTPS) with no code signing
- Downloaded scripts are
chmod +xand executed with sudo every 5 minutes verification.binphones home tomakulu.online:7005over HTTP- Any man-in-the-middle attacker could inject arbitrary code with root privileges
The Developer
★
Jacque Montague Raymer
Sole Developer & Owner — MakuluLinux (since 2009)
Location: Da Nang, Vietnam
Previously: Eastern Cape, South Africa
Email: [email protected]
"Makulu" means "big chief" in Zulu
One person. Running an update system over HTTP with no signature verification
that auto-executes with sudo every 5 minutes on every installation worldwide.
| Port | Protocol | Service | Used By |
|---|---|---|---|
| 2006 | Raw TCP | C2 Backdoor | check.bin ONLY |
| 2006 | HTTPS | AI chat/ask API | calculator, weather, editor, frames, image-gen |
| 4002 | HTTPS | Image processing | image2image |
| 6003 | HTTPS | AI chat API | text-image, video, video-gen, log, pie, update-manager |
| 6004 | HTTP | AI ask API | song |
| 7005 | HTTP | License verification | verification.bin, frames, editor |
The Scheme
1
Free Linux distro = the funnel. User acquisition through a "free OS with AI features."
↓
2
AI features = the product. 40+ tools are thin GUIs proxying to OpenAI, HuggingFace via Raymer's server. He's the undisclosed middleman.
↓
3
Pro vs Free = monetization. verification.bin enforces licensing. expired.bin redirects to token.html to buy access. video.bin has a paywall.
↓
4
check.bin = command channel. AI tools use HTTPS to port 2006. check.bin uses raw TCP to the same port. Different protocol, same port. The API is the front. The socket is the back door.
↓
5
HTTP updates = total control. Push any binary to any machine, anytime, with root execution. No consent, no verification.
Data Harvesting
weather.bingeolocates every user viaipinfo.ioandipapi.cobefore API callsimage2image.binmaintains persistent user sessions on the server- All AI requests route through Raymer's server — he can log every prompt, every image, every conversation
One guy in Da Nang, Vietnam, running a SaaS business disguised as a free Linux distro, with a persistent backdoor on every installation, off a single VPS in Germany.
This is exactly why the Human Router architecture exists. In a world where you cannot even trust your operating system vendor, every decision — every execution — needs a governance gate.
D = G × S. If G ≠ 1, D = 0. No action is routed without verified authority. No exceptions.
They sowed the wind. Let them reap the whirlwind.