It’s funny because that is sometimes true but not always. It is true that sometimes engines will detect the malware once the payload is actually delivered (the bogus installer or fake .app bundle is usually obfuscated and uses shell scripts or Python combined with the openssl command to decrypt a command for fetching the real malware, and the real malware itself tends to be more widely detected.
But this particular one seemed so new that even the final payload isn’t detectable. I submitted it to a few vendors. Hilariously Symantec responded with the sample “is an archive” and then explains what a zip file is. Sigh.
