Re-checking the list of domains previously mentioned, shows they're on the move to a new range. This time owned by known crimeware friendly ISP, ROOT SA (aka Root eSolutions, AS5577 18.104.22.168/19, AS44042). The new IP is 22.214.171.124.
There's only a handful resolving to the new IP at the time of writing, so presumably the rest are awaiting DNS propagation.
WARNING: Malware, scams and RedStation (AS35662, 126.96.36.199/20)
Legitimate Software Typosquatted in SMS Micro-Payment Scam
Crimeware friendly ISPs: root eSolutions