Isn't that already how it is?

I mean the compromised machine registers itself on the command server and occasionally checks for workloads.

The hacker then decides his next actions - depending on the machine they compromised they'll either try to spread (like this time) and make a broad attack or they may go more in-depth and try to exfiltrate data/spread internally if eg a build node has been compromised