I'm not sure how what I said was any different from what you said. No matter if they use an IP address or domain, those C&C servers are still set at the time of deployment. One of the first things they do is phone home (or homes) and get an updated list of C&C servers. That still leaves them dependent on reaching a limited number of sites that can be shut down effectively killing the that variant of the malware.
Do you live in Corpus and drive a Tesla? We may have met.
Edit: The CISA notice with the deets: https://www.cisa.gov/uscert/ncas/alerts/aa22-321a