Linux malware looks different usually. This kind of plugin based framework running as its own process is uncommon, but web shells with similar functionality have been around for a while. And bad guys like working in the shell on Linux too, just a simple binary that reads commands from a socket is often all they need, but doesn't make for very fascinating blog posts. Some just install cloudflared, nothing custom needed at all.