I doubt if it is a valid test in this instance. If the problem does not surface in one transaction how can I guarantee it will not surface in another transaction?

I am not the one who developed the malware, obviously. But if I were, and the malware had access to the transaction information (public key, amount etc.) then I would trigger it only for transaction worth beyond a threshold, like a few million Sats. The goal would be to delay the detection of its presence, and capture a few big fishes instead of a bunch of small fishes. If every transaction is poisoned, the exploit would come to the surface pretty fast, and people would stop falling for it, as is the case once it got widely publicised.

For all intent and purpose, I suspect the attacker had his day, and unlikely to gain any more, although likely made enough to retire. The window of opportunity is is just too small if the attack happens deterministically at every transaction.