It's unclear, but it seems like this was someone testing to see if this exploit would really work. From the article: > The severity was debated - Endor Labs characterised the payload as closer to a proof-of-concept than a weaponised attack - but the mechanism is what matters. The next payload will not be a proof-of-concept.

But it does seem odd not to use an actual payload right away.