Am I missing something or wouldn't the author(s) of Qakbot be able to avoid this attack by cryptographically signing commands and having clients check them?
"To interact with infected hosts, the replacement servers required a certificate that can sign messages. It appears that the certificates were obtained and used for good intentions."