So far, that makes references to LEGSPIN, WILLISCHECK, HOPSCOTCH, STARBUCKS, FOGGYBOTTOM, SALVAGERABBIT.
I believe this may be NSA's UNITEDRAKE implant architecture, specifically.
Who names this stuff?! ANGRYFERRET? (Probably no relation to FERRETCANNON; whoever named that one is clearly a Sluggy Freelance fan.) SQUEAKYTOY?
For the truly curious, interested and daring enough to want to analyse nation-state malware, here's an actual live sample they've published. (Obviously, don't just run this code! Trite, I know, but… - password: "infected")
Your tax dollars at work! … and mine. Bah.
Analyse it cold (from what I've seen from this, IDA Pro will be safe), or use a suitable simulator.
Mainstream VMs are not designed for secure encapsulation and are very detectable: at least one of the loaders in one of the samples of this is specifically looking for VMs (and that's not unusual at all with any half-assed malware).
Now? Someone reads Sluggy Freelance and thinks FERRETCANNON sounds funny.
They used to tell a story about this, the Germans in WW2, and their penchant for meaningful names allowing potentially meaningful guesswork. Of course, the new generation of brogrammer "cyber-specialists" in charge of Mastering The Internet never got the memo, on either side.