FYI the "ssh -G" is listed on this page
https://github.com/eset/malware-ioc/tree/master/windigo
The section is "Linux/Ebury v1.4 and earlier" with a couple of notices.
One notice is that Ebury v1.4 is no longer deployed and most of the
indicators below no longer work. Another notice is that this technique
only works with OpenSSH 6.7 or earlier. OpenSSH 6.8 adds a legitimate
usage for the -G flag. This is even shown in the first line of the output:
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
There are other detection methods listed for newer versions of OpenSSH.