But the post says that the malware checks if any of those folders exists, only then writing the necessary plist. By your reasoning, one of these folders should have been created in advance by another process. So this "backdoor" is even incomplete...
It says it checks if those folders are available - which could mean checking if the name is not already taken, and then creating the path for itself to use.