Re-checking the list of domains previously mentioned, shows they're on the move to a new range. This time owned by known crimeware friendly ISP, ROOT SA (aka Root eSolutions, AS5577 126.96.36.199/19, AS44042). The new IP is 188.8.131.52.
There's only a handful resolving to the new IP at the time of writing, so presumably the rest are awaiting DNS propagation.
WARNING: Malware, scams and RedStation (AS35662, 184.108.40.206/20)
Legitimate Software Typosquatted in SMS Micro-Payment Scam
Crimeware friendly ISPs: root eSolutions