In April 2016, Microsoft shocked the PC world when it announced the Windows Subsystem for Linux (WSL). WSL is a supplemental feature that runs a Linux image in a near-native environment on Windows, allowing for terminal functionality without the over-head of a virtual machine. While this new functionality was welcomed by developers, it also introduced a new attack surface threat actors can ( and do ) target. Black Lotus Labs recently identified several malicious files that were compiled in the Linux binary format ELF which utilized native windows APIs. Over the past several months, Black Lotus Labs has identified numerous "stagers" - i.e. lightweight scripts that load more robust agents into memory - keyloggers, and in some cases fully functional remote access trojans. The novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate nearly, or in some cases a, zero for sample found on Virustotal. Suggesting that while this technique may be niche, as it requires WSL to be pre-installed by an admin, it can provide threat actors a blind spot to operate while evading some EDR products. This talk will briefly introduce WSL, then focus on the samples Black Lotus Labs observed abusing this feature in the wild, and how we analyzed these malicious files.