SECURITY DISCLOSURE - CRITICAL
MakuluLinux Ships a Persistent Backdoor in Every Installation
The MakuluLinux operating system installs a binary that establishes a persistent connection to a command-and-control server owned by the developer. This is not a third-party compromise. The backdoor is embedded in the OS installer itself.
The Evidence Chain
1 install-script.bin (the OS installer) copies /usr/share/MakuluSetup/files/check.bin to /usr/bin/check.bin ↓ 2 Creates autostart entry disguised as "System Health Check" with 30-second delay ↓ 3 check.bin (9.5MB stripped ELF) establishes persistent TCP connection to 217.77.8.210:2006 ↓ 4 That IP resolves to makulu.online — the developer's own domain ↓ 5 Installer error handling: "One or more critical final file operations (startup/check.bin) failed" — it's a critical install component
Infrastructure
Asset IP Hosting Registrant C2 Server 217.77.8.210:2006 Contabo GmbH, DE Germany makulu.online 217.77.8.210 Contabo GmbH Da Nang, Vietnam makululinux.eu 207.180.233.66 Contabo GmbH Redacted makululinux.com 64.20.42.243 Trouble-free.net Eastern Cape, South Africa
The C2 server and makulu.online are the same IP address (217.77.8.210). This definitively links the backdoor to the developer's own infrastructure.
Additional Insecure Practices
Update scripts download over plain HTTP (not HTTPS) with no code signing
... continue reading