Even if the attackers used a fully broken since 1980s encryption-how many organizations have the expertise to dissect it?

I assume that threat detection maintains a big fingerprint databases of tools associated with malware. Rolling your own tooling, rather than importing a known library, gives one less heuristic to trip detection.