Here’s how it was intended to work:

• debian, fedora, or another RPM-based distribution updates references to liblzma to 5.6.x in their latest release
• the package repository is updated (usually through automation) by getting the infected tarball and compiling it into an RPM which is added to the repo
• if the package is built using glibc and the gnu linker, and for a system that uses systemd, the exploit is enabled during compilation of the x86-64 version of the package; otherwise the result is normal
• when an application is installed that depends on liblzma, possibly during OS installation itself, the infected RPM package from the package repository is downloaded and installed
• in this particular case, OpenSSH was the primary target; if the attacker wanted to, it could have targeted any web-facing service that uses liblzma such as OpenSSL + Apache/nginx, etc
• when the OpenSSH server is started on an infected system, it loads the infected liblzma binary
• the attacker starts an SSH connection to the infected server, having already known about the server or by scanning the internet for visible ssh servers
• during creation of the SSH connection, one of the steps is to negotiate encryption using an RSA key. The attacker uses a specially formed RSA key only available to the attacker that also contains a chunk of code (the “payload”) that they want executed on the server
• liblzma is utilized to compress data in transit; when the infected liblzma decompresses the RSA key on the server, the exploit recognizes the attacker’s special RSA key and executes the payload on the host system. Otherwise, the ssh session continues as normal