>One of these RATs is already known to be part of the Lazarus toolkit, specifically a variant of the BlindingCan backdoor with limited functionality but identical command processing logic.
The attackers were using already known Lazarus malware. The researchers aren't simply basing the Lazarus attribution solely on an insider trading strategy or time zones.
Threat intel and analysis is just like any other analysis, it is taking a heuristic approach to finding answers.
Can it be bypassed? Yes.
Are the researchers whose entire company hinges on the correctness of their analysis doing their absolute best to attribute the attack to a threat actor? Yes.
So to your point, somebody could indeed reuse malware or attempt to replicate it. However, the researchers are likely analyzing the disassembly and bytecode, and replicating complex malware to perfectly imitate a known family of malware is exceptionally difficult and statistically very unlikely. This is how threat intel is able to make any sort of claim of attribution.
The attackers were using already known Lazarus malware. The researchers aren't simply basing the Lazarus attribution solely on an insider trading strategy or time zones.