What a surprise
A tool specifically made to avoid syscalls, which just happen to be what AV tools are actively watching, is hijacked by miscreants for their own nefarious purposes.
I can't help but think that the guy who thought this up must be a serious expert on OSes in general, and on kernels in particular. You have to know the ins and outs of the inner workings of the entire OS stack and the particulars of how it all fits together to dream up a scheme like that and make it work for you.
What a shame that a mind like that decided to employ his formidable intellect for crime, instead of working with Torvalds or Cupertino or even Redmond and making a better world for everyone.