Hackers want to keep control of your site for as long as possible. There are multiple reasons for this.
For one, longer-term infections will yield more results for the hacker. They can access exponentially more personally identifiable information if they have control of a site for weeks or months instead of several days. They'll receive more data, misdirect more website visitors, and cause more problems for your website.
The second reason is that they have countermeasures for when the offended party attempts to strike back. Once you've detected the infection, the hacker understands that the website administrator will make moves to remove it. They're counting on this. Aside from malware's main functionalities, like
spam injection, SEO injection, and traffic redirection, the infection can also contain a
smart recovery mechanism. This mechanism hides the infection and makes useless any malware cleanup effort.
Here's a deeper dive into how this whole process works.