if you add non trivial address generation there simply isn't a good way to block it except for hope and prayers. nobody really wants to play wack-a-mole on blocking addresses for c2 servers and then there will always be websites which straight up do not care.
I mean, at that point, why wouldn't you just rely on a DGA? At least then you wouldn't be flooding block explorer sites with millions or potentially tens of millions of requests per day for your C&C traffic.
Essentially the exact approach you propose has been attempted in far cleverer ways, it did not work very well.
well you wouldn't really want to use it for botnets that large, modern botnets run off similar systems internet runs off - edge endpoints and crypto currency is just a nice distributed database to rely upon to synchronize everything
I don't think you'd want to go through the trouble for smaller botnets though. It's really only the very big ones that face co-ordinated takedown efforts.
For a very small botnet that doesn't attract attention, you could really use any social media site for C&C if your goal was to avoid network-level detection.
For a slightly bigger botnet that might get abuse reports, you could just get a bunch of domains on different ccTLDs from various bulletproof registrars. There are some huge botnets doing this without much trouble.
It's really only the really big botnets where you want to worry about things like P2P C&Cs for censorship resistance, they're the ones that will face co-ordinated efforts to shut them don.
I feel like the block explorers aren't a really good solution, for small botnets there are less conspicuous options. Here's a (real) botnet C&C that uses Steam, and has been doing so for a long time https://steamcommunity.com/profiles/76561199621451974 It's a rather silly implementation though, not sure why the developer decided to do it this way.
It's also worth noting that most botnets aren't targeting networks where they'd really have to worry about network-level detection, so in almost all cases using your own domain names is by far the easiest and most reliable option.
I'd also guess the most common malware these days is of the often short-lived "stealer" type, where the operator doesn't necessarily really care about keeping their bots alive as the malware just immediately grabs all the interesting data from your computer and uploads it.
