Malware could always use some proprietary wrapping in TLS to hide name resolution.
Domain fronting through Azure is still a thing for instance.