When considering an attack lifecycle from an adversarial perspective, the adversary has a few options on how to proceed at each step. One of questions that needs to be answered is whether the adversary will use publicly known malware (i.e. BEACON), custom built-from-the-ground-up malware (i.e. HAMMERTOSS), or legitimate software and services (i.e. SoftEther Virtual Private Network) that provide the necessary functionality to complete said step.
Each option has upsides and downsides: Publicly known malware can be extremely cheap but also can be easy to detect since it has been in the public eye for some time. Custom malware can be extremely stealthy given its unique code-base but also very expensive in time and/or money given it needs to be developed prior to use. Legitimate software and services can also be stealthy due to their camouflage effect into “normal network activity” but also may not provide precisely the type of functionality desired, since it was not written to be used for the function it is being considered for.