@BlackLotusLabs found some interesting malware leveraging the Windows Subsystem for Linux (WSL) to attempt to hide its activity. I found that to be an interesting technique :)

https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/

I am still hunting around for samples, but I figure I could create at least a very generic YARA rule for folks that are interested in hunting around in their environment in GitHub:https://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar