Unless the botnet owner is running dozens of hidden services, it shouldn't be hard to find. Run a bunch of service directories. The C&C server would be the one receiving 500K descriptor fetches per day at a single service directory (3 million total). Also, a few people are running entry guards that are getting killed right now, again unless there are many C&C hidden services, or one has increased entry guards to like 30. The botnet accounts for 85%of activity on the Tor network right now. The hidden service should be much easier to find than most hidden services.