CtrlS is a large Indian hosting provider who seldom feature in this blog which is always a positive sign. However, the last two Zeus spam smail runs exclusively use CtrlS servers to host encrypted malware.
Three of the four domains are easy to spot:
wahidexpress.com is on 18.104.22.168
bsitacademy.com is on 22.214.171.124
oilwellme.com is on 126.96.36.199
The last one of the four domains is hosted on a Cloudflare IP.. but Cloudflare is only a reverse proxy and a bit of digging at IP records show that newz24x.com appears to be hosted on another CtrlS IP of 188.8.131.52.
So, four out of four IPs belong to CtrlS. It could be a coincidence, but I wonder if anybody else is seeing traffic (especially for downloads of .enc files) in CtrlS IP ranges?