Why not just use an off-the-shelf rootkit with off-the-shelf obfuscator + whatever exploits they discovered? None of the code has to be extremely valuable.
If I were CIA in the current political climate, I would simply slightly modify a Russian exploit toolchain and exfiltrate data to CIA controlled C&C. One dev can do the work and with a couple of days of effort it would get past all major AVs.
I think this crowd tends to vastly underestimate the ease of deploying and testing this stuff in a targeted and useful way.
There's a big difference between broadband spray and pray malware, and malware you actually want to hit a target with.
If you know average tools won't detect it, then why get fancy when you have something that's proven reliable and if discovered is unlikely to have your victim substantially improve their processes?
If I were CIA in the current political climate, I would simply slightly modify a Russian exploit toolchain and exfiltrate data to CIA controlled C&C. One dev can do the work and with a couple of days of effort it would get past all major AVs.