The campaign is using Go packages just as a mechanism to download a ransomware for Linux systems, and it specifically checks if the Documents/ directory exists for the current user. If it doesn't exist it does nothing.
That's probably why the malware sandboxes are not detecting the outbound connections and the encrypting activity.
That's probably why the malware sandboxes are not detecting the outbound connections and the encrypting activity.