Nothing against people running botnets out of Eastern Bloc apartment buildings, but there is no real need for operational excellence when you are going after gen pop.
This isn't a hard rule, but generally, you only use the minimum tool required for the job. Don't use a string of 0 days when phishing works, don't use a custom implant when Cobalt Strike will do the job. If Cobalt Strike does the job for everything you do, just use that. Goddamn is it good.
But we are in a situation where we want that long term persistence with low observability. There are plenty of ways to do that, so we should copy the experts. No need to come up with things yourself. Thanks to the previously mentioned threat intel weenies, as well as the talented, hard-working and good-looking reverse engineers that work at the same companies as them, there is a ton of documentation on all the best implant families and the APTs that write and use them.
You can spend a career reading all of this, and plenty of people do. I recommend reading a bit to get the creative juices flowing and then spend your time writing code instead of reading about Lithuanian teenagers but hey, you do you.
Some other writeups of varying quality on implant dev:
- Demystifying Modern Windows Rootkits- Bill Demapi
- Developing a Linux Rootkit: Kernel Internals & Subversive Techniques