The infection chain I have spotted here starts with a typical compromised website, in this case:
A quick look at the URLquery report shows a general alert, but no smoking gun..
Right at the end you can see a redirect to google.no..
However, I can look at the log files of the incident and I see that the next step is a jump to another compromised site:
This then jumps to the presumed payload site at:
What is the payload... errr.. I don't know. The incident logs come up with a generic detection and my query-fu isn't working today. You'll just have to trust me that it's going to be malicious.
The following malicious subdomains are also active on 18.104.22.168:
The simplest thing to do to protect yourself against this particular threat is to use the following blocklist: