Something about this post is weird as fuck and some part of this story is missing for sure.
First of all, routine scans with ClamAV. Why are you routinely scanning your system, and what’s your expectation here? In most cases system compromise happens by executing something malicious or by exploiting something on your system, For the former, an active background scanner would help, but not a routine scan, and it’s easier to just not execute suspicious stuff. For the latter, your routine scanning is worthless.
Then the compromise over a WINE DLL seems something between borderline impossible on one hand, and like a very targeted and handcrafted attack on the other hand. Sure, wine is not a sandbox, but seeing this as the point of entry for a full blown persistent RAT is weirding me out massively.
Lastly, “them” setting up seemingly good persistence on your system, yet not hiding any indicators of compromise, and then nuking everything when they are seen. Why that effort? Either set yourself up for the long run and hide, or when detected just say “eh, whatever”. This also seems weird, since on one hand there’s indication for a professional, targeted attack, and other points sound more like rookie script kiddies.
Lastly, you. You seem like a pretty confident user while getting hit like that. It just feels off.
I’m not claiming you’re lying, and I couldn’t blame you for leaving information out because of opsec. But everything about this story feels off. I kinda assume that you’ve been actively targeted, and you should ask yourself why. What information or access do you have? How have you been pwned that “easily” and where did that DLL come from? How was it placed and executed?
What an amazing conclusion, and the best part is, no matter what you’ve been waffling about before - it’s always right. Can we stop calling random things AI slop and telling to be careful bEcAuSe iTs Ai sLoP, and go back to being cautious until something has been reviewed properly? Being careful with random stuff from GitHub you install and run in your private network?
Your whole comment may have been AI slop as well. “From a quick glance at the repo”, you should be careful! Thanks, Sherlock.