Threat actors may abuse cloud-native task scheduling services (e.g., AWS EventBridge Scheduler, Azure Logic Apps) or the Ground Station's own scheduling API to trigger malicious code execution at specific times. Unlike OS-level tasks, these schedules persist in the cloud control plane. Attackers may use this to synchronize malicious data processing or exfiltration scripts with the precise Acquisition of Signal (AOS) windows of the target satellite.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.