I'm finding very little about the initial infection vector. How does it infect a machine?

Also port 53/udp is an interesting choice for communicating. Many enterprises redirect that to their internal dns.