Well that didn't take them long. They're back to .in domains, and have moved to the well known SwiftWay (AS35017).
New payload URL;
This /24 of course, as with all SwiftWay ranges, is no stranger to malicious content, having hosted everything from fake AVs to trojans, and even fake meds. Rather confusing then, that they've move it here given most should already have this range blackholed? Though perhaps not so confusing when you notice the PTR - inferno.name, a "host" already well established as criminal friendly.
Part 3: Interserver, malware, and the Scottish weather
Part 2: Interserver, malware, and the Scottish weather
Interserver, malware, and the Scottish weather