Re-checking the list of domains previously mentioned, shows they're on the move to a new range. This time owned by known crimeware friendly ISP, ROOT SA (aka Root eSolutions, AS5577 188.8.131.52/19, AS44042). The new IP is 184.108.40.206.
There's only a handful resolving to the new IP at the time of writing, so presumably the rest are awaiting DNS propagation.
WARNING: Malware, scams and RedStation (AS35662, 220.127.116.11/20)
Legitimate Software Typosquatted in SMS Micro-Payment Scam
Crimeware friendly ISPs: root eSolutions