I think it is to do with the targeted/campaign attacks. Ordinary spread of viruses in some rar files are generic enough. Otherwise if you are an outfit working from CIS countries it is just a logical due diligence not to become a target of their internal security people. For instance if you create a botnet and rent it, then some other group might do proper damage using it; it is safer to just host it outside.