Yeah. If the article is right, SysJoker is "stage 1" to infiltrate networks. The C&C servers will only deploy a more interesting "stage 2" to the target they care about.
Maybe the attack is already completely done, and they're just leaving the C&C servers and the rest of the botnet up to avoid leaking "The C&C servers went offline at X time" as a piece of information.
Maybe the attack is already completely done, and they're just leaving the C&C servers and the rest of the botnet up to avoid leaking "The C&C servers went offline at X time" as a piece of information.