I saw an analysis of the exploit code. It clearly pointed out several Windows API calls, for example to make the HTTP connection to the command and control server. If the analysis was correct, the exploit was definitely Windows specific.