The article has a screenshot of the decompiled code showing that they're just running the downloaded executable immediately, without any additional checks on the content.