A new cryptominer malware that infected almost all the computers on a company’s network within a year uses DuckDNS for command and control (C2) communications with its masters. The new miner malware strain dubbed Norman by the Varonis Security Research team was discovered while actively mining for Monero using the computing resources of the infected workstations and servers as directed by its operators. Norman is dropped on the targets’ systems using a malware dropper compiled using the Nullsoft Scriptable Install System (NSIS) and designed to execute the payload according to instructions.
Source: https://www.bleepingcomputer.com/news/security/new-norman-cryptominer-uses-dynamic-dns-for-c2-communication/