This makes sense, but the implementation itself was also kind of sloppy. I think it was bound to be found sooner or later, which seems oddly unlikely for an APT that would spend more time and effort hiding it.
I wouldn’t expect China, NSA, or any big name APT to be behind this.
I wonder if it was really a state actor or actually just a random blackhat group trying to gg ez a backdoor.