Classified Classifieds (steganography for command & control)

Ars Technica just ran a story about a Russian hacking group making botnets, and how they control them covertly.
There’s two parts to a successful botnet- you need the zombie (infected) hosts not to be detected too quickly, as they’ll then be cured. But you also need to be able to communicate with the bots in such a way that they don’t betray their own presence, and don’t leave a trail back to what is known as the C&C (Command & Control).
That middle bit is still very tricky, since by definition, you want to have an effect- perhaps a DDOS on a target, spamming, or distribution of more malware. If a DDOS, by definition, that’s going to be very noticeable by all concerned. But going from that to alerting the owner of the specific computer (or perhaps router, or printer) is slow. ISPs aren’t known for rapid action.
Even when you do get a message to the zombie’s owner, that’s one machine.
To really knock out the botnet, you need to get at the C&C. So where is it?
Sometimes, the code of the malware will give it away. It was that that allowed the recent Wannacry attack to be mitigated.
In this case, there was no URL, but there was a co-infection with a browser extension, which gathered the URL (via shortened URL) by scanning comments matching certain features on an Instagram post. The article doesn’t make it clear if visits to that particular post were forced, non-browser requests but I have to assume so.
I liked how this reminded my of the old-fashioned (but still in use, no doubt) posting of a coded, surface-innocent message in the newspaper classifieds. No-one looks suspicious for purchasing a copy of a newspaper.
Using made that initial URL less suspicious, and using a URL shortening service makes sense, to keep the hidden data requirement low. Downside was that it was possible to view the statistics on visits to, ultimately, the C&C.
If you aren’t too fussy about who you infect, you can simply use comment systems (or, riskier, adverts) with this kind of steganography, on very popular websites. It might not guarantee that you get a specific visitor, unless you know about their browsing habits, but it’ll get you plenty. That way, you needed force the browser to visit anywhere. Anytime you can let the target do all the work for you, you’re minimising the subterfuge you have to engage in as an attacker, and the fewer fingerprints/smoking guns you’re leaving on their system.
Could that data be, not a direct URL, but instead, something like a BitTorrent magnet link, pointing at a distributed, decentralised C&C system using a DHT? How about a tor .onion address? There are JavaScript tor client implementations after all…