The MalwareTech write up gives a plausible reason for the developer having accidentally added the kill switch:
> I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis.
