here (184.108.40.206 and 220.127.116.11, also Edis) that seem to be used in injection attacks. I can identify the following domains linked to 18.104.22.168:
Injecting some of the same sites as the domains on the above IPs is jstoredirect.net which is currently offline but was hosted on 22.214.171.124 which is also Edis (can you see the pattern yet?) so I would assume that they are linked. In the few days that jstoredirect.net was online it managed to infect over 1500 sites.