After deobfuscating the code, researchers found that the PHP-based malware uses the symlink method to quickly cross-contaminate websites that are hosted under the same user as the compromised website.
Source: cyware.com