>I assume the malware authors pre test their code on a suite of detectors in CI.

Maybe some do, but you give the average malware developer way too much credit.