Also, the malware deployed behaved differently by platform:

  • On macOS and Linux, it used Go-based binaries tied to a persistent remote-access framework.
  • On Windows platforms, it ran inside the editor’s own Electron process and avoided dropping a conventional executable.