[zahlman]

By this logic, all malicious JavaScript (obvious example is cryptominers I guess, assuming no JS sandbox escape) is C&C, yeah? As it "instructs site visitors" to do something harmful locally?