Seems we've got another Israel based crapware company, this one is involved in the use of fake Chrome and Java sites, to push their files (all digitally signed FYI).
18.104.22.168 - AS32181 22.214.171.124/21 ASN-GIGENET - GigeNET
126.96.36.199 - AS46652 188.8.131.52/19 SERVERSTACK-ASN - ServerStack, Inc
184.108.40.206 - awstrack01.tguhost.com - 16509 220.127.116.11/17 AMAZON-02 - Amazon.com, Inc.
18.104.22.168 - AS46652 22.214.171.124/19 SERVERSTACK-ASN - ServerStack, Inc.
126.96.36.199 - AS16509 188.8.131.52/18 AMAZON-02 - Amazon.com, Inc.
Sites identified thus far;
The MD5 for the file I got served is;
However, I am aware that the MD5s appear to be different for each access, so you're going to want to detect the files on their sig instead.
2 more IPs and 2 more hostnames added.
Few more hostnames added.