This doesn't seem to be useful for hiding the fact that something suspicious is going on. If I understand it correctly, a static analysis of the program would reveal that they are decrypting code with an AES key derived from CPU instruction timings, and then executing that code inside a TSX transaction.

Hardly normal behavior for non-malicious code. The only thing hidden is the actual key that will be used when it runs correctly, and hence what exactly the decrypted code does.

(Also, didn't Intel obsolete TSX already in more recent CPU generations, because of its use for speculative execution side-channels?)