Comment by resfirestar

Linux malware looks different usually. This kind of plugin based framework running as its own process is uncommon, but web shells with similar functionality have been around for a while. And bad guys like working in the shell on Linux too, just a simple binary that reads commands from a socket is often all they need, but doesn't make for very fascinating blog posts. Some just install cloudflared, nothing custom needed at all.