Threat intel and analysis is just like any other analysis, it is taking a heuristic approach to finding answers.
Can it be bypassed? Yes.
Are the researchers whose entire company hinges on the correctness of their analysis doing their absolute best to attribute the attack to a threat actor? Yes.
So to your point, somebody could indeed reuse malware or attempt to replicate it. However, the researchers are likely analyzing the disassembly and bytecode, and replicating complex malware to perfectly imitate a known family of malware is exceptionally difficult and statistically very unlikely. This is how threat intel is able to make any sort of claim of attribution.
