Today I noticed that my Sophos UTM (Community Edition), flagged my pi-hole for C2/Generic-A under Advanced Threat Protection. The destination was www.sparechange.io
From the Sophos documentation:
C2/Generic-A is the threat name associated with the command and control (C&C) servers used by malware.
Note: C2/Generic-A is not detection of a malware payload on an infected machine.
Instead it indicates Sophos products blocking network traffic (reputation or IPS filtering) to a remote machine believed to be a C&C server. The alert indicates that a machine within the network is compromised with malware.
Pi-hole won't contact that host.
I suspect UTM may have flagged the host machine that runs Pi-hole, not the Pi-hole software that runs on it.
You should also consider consulting Sophos UTM documentation and support for further insights.
Also, try to verify if your Pi-hole host machine would indeed send unsolicited requests to www.sparechange.io and find out what software is sending them, e.g. if you would be using your Pi-hole host machine to browse the web, you may have visited a website that uses SpareChange to have your host mine digital currency while you are visiting that site.
That said, Pi-hole would be able to actively block DNS resolution of that domain for all clients that use Pi-hole for DNS (by adding it to its blocklist or by using an adlist that's blocking it).
Note that Pi-hole won't touch the DNS configuration of its host system, so you may want to verify that it actually is using Pi-hole for DNS.