The threat actors use the “nohup” command to run the executable in the background to ensure that the process remains active beyond the terminal session. The experts noticed that the attacker appended all the modifications to the ~/.bashrc file, to maintain persistence whenever the user initiates a new Bash shell session.