Often it's a massive team with people of very varied programming skills. The core exploit might be some super high tech, hand coded in assembly rootkit, but then the remote control stuff might ends up being some badly written powershell script or multi-megabyte dot-net, java or python binary pulling in every library under the sun.
There's a fantastic example of this from fall of 2019. China was using an iPhone 0day which was extremely complicated to do internal surveillance, and the C2 for it was happening over http.
It seems like this is simply the approach of any coder who's just trying to get X done without worrying about maintaining stuff. Academic code is often "crap" and it's written by smart people but smart people only concerned about getting the algorithm implemented.
Which is say to say, no one yet come up with an approach that combines "fast to write, fast to run, and easy to maintain".
Often it's a massive team with people of very varied programming skills. The core exploit might be some super high tech, hand coded in assembly rootkit, but then the remote control stuff might ends up being some badly written powershell script or multi-megabyte dot-net, java or python binary pulling in every library under the sun.