3 comments

[ 1.7 ms ] story [ 21.9 ms ] thread
(comment deleted)
not linux, but Go packages.
The campaign is using Go packages just as a mechanism to download a ransomware for Linux systems, and it specifically checks if the Documents/ directory exists for the current user. If it doesn't exist it does nothing.

That's probably why the malware sandboxes are not detecting the outbound connections and the encrypting activity.