Seems we've got another Israel based crapware company, this one is involved in the use of fake Chrome and Java sites, to push their files (all digitally signed FYI).
126.96.36.199 - AS32181 188.8.131.52/21 ASN-GIGENET - GigeNET
184.108.40.206 - AS46652 220.127.116.11/19 SERVERSTACK-ASN - ServerStack, Inc
18.104.22.168 - awstrack01.tguhost.com - 16509 22.214.171.124/17 AMAZON-02 - Amazon.com, Inc.
126.96.36.199 - AS46652 188.8.131.52/19 SERVERSTACK-ASN - ServerStack, Inc.
184.108.40.206 - AS16509 220.127.116.11/18 AMAZON-02 - Amazon.com, Inc.
Sites identified thus far;
The MD5 for the file I got served is;
However, I am aware that the MD5s appear to be different for each access, so you're going to want to detect the files on their sig instead.
2 more IPs and 2 more hostnames added.
Few more hostnames added.