The most obvious reason would be the fear of patching a vulnerability which the attacker used to gain initial access. Persistence is required.