Seems we've got another Israel based crapware company, this one is involved in the use of fake Chrome and Java sites, to push their files (all digitally signed FYI).
220.127.116.11 - AS32181 18.104.22.168/21 ASN-GIGENET - GigeNET
22.214.171.124 - AS46652 126.96.36.199/19 SERVERSTACK-ASN - ServerStack, Inc
188.8.131.52 - awstrack01.tguhost.com - 16509 184.108.40.206/17 AMAZON-02 - Amazon.com, Inc.
220.127.116.11 - AS46652 18.104.22.168/19 SERVERSTACK-ASN - ServerStack, Inc.
22.214.171.124 - AS16509 126.96.36.199/18 AMAZON-02 - Amazon.com, Inc.
Sites identified thus far;
The MD5 for the file I got served is;
However, I am aware that the MD5s appear to be different for each access, so you're going to want to detect the files on their sig instead.
2 more IPs and 2 more hostnames added.
Few more hostnames added.