UAs are often hardcoded into compiled malware binaries that get shared/leaked amongst actors and groups. Latter users dont have access to the source so at best all they can do is dick around with hex editors and maybe change a character or two instead of the whole string.