Msvenom creates obfuscated custom payloads (part of the Metasploit penetration testing tool). They can be detected by ML behavior-based modules. But, when Metasploit introduces a new type of payload, some time is needed to adjust ML modules. So, such new obfuscated payload can bypass AV products. In many cases also the new payload can be detected by post-execution behavior protection - this can depend on the malicious actions performed by the payload.