The Command-and-Control part of the botnet would be whatever component they build to instruct it to attack; often using some dummy website they register and have the compromised clients poll for changes with instructions.

I think an increasing amount of them are state actors or groups offering the botnet as a service.

>What does this botnet do when it's not performing a 7.3 Tbps DDoS?

Living their best "Im a retail Asus router/iot from Amazon" life.

I mean... 7 Tbps sounds like a lot, but 1Gbps symetric connections are common in many areas. 7,000 botnet nodes with good connectivity can deliver that. The article says the attack traffic came from 122,145 source IPs, but I would expect at least some traffic to be spoofed.