CtrlS is a large Indian hosting provider who seldom feature in this blog which is always a positive sign. However, the last two Zeus spam smail runs exclusively use CtrlS servers to host encrypted malware.
Three of the four domains are easy to spot:
wahidexpress.com is on 184.108.40.206
bsitacademy.com is on 220.127.116.11
oilwellme.com is on 18.104.22.168
The last one of the four domains is hosted on a Cloudflare IP.. but Cloudflare is only a reverse proxy and a bit of digging at IP records show that newz24x.com appears to be hosted on another CtrlS IP of 22.214.171.124.
So, four out of four IPs belong to CtrlS. It could be a coincidence, but I wonder if anybody else is seeing traffic (especially for downloads of .enc files) in CtrlS IP ranges?