This sounds like something straight out of a James Bond movie.

That was a dumb move by the malware coder ;)

Wouldn't you want to hide a kill switch?

The MalwareTech write up gives a plausible reason for the developer having accidentally added the kill switch: > I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis.

MalwareTech wrote a blog about it: https://www.malwaretech.com/2017/05/how-to-accidentally-stop...