Probably to prevent it from fucking their own computer network up. Just change your local resolver to be authoritative for the domain(s) in question, and bob's your uncle.
But next they'll likely use more domains, and more expensive ones, so that random security researchers can't just expense the registration on the corporate credit card. I know .ng costs 50k, but .np might be pretty comical to deploy if you're not really worried about a global off switch.
If that's the motivation, just use a non-existant TLD, or, even better, .local
If the motivation is to have a killswitch, you don't want something expensive, because the attackers would then have to pay for it if they want to activate it for whatever reason.
But next they'll likely use more domains, and more expensive ones, so that random security researchers can't just expense the registration on the corporate credit card. I know .ng costs 50k, but .np might be pretty comical to deploy if you're not really worried about a global off switch.