188.8.131.52 [VirusTotal report]
184.108.40.206 [VirusTotal report]
220.127.116.11 [VirusTotal report]
18.104.22.168 [VirusTotal report]
The following domains are being exploited (although there will probably be more soon).
Subdomains in use start with one of qwe. or asd. or zxc. (see examples here [pastebin]).
Crissic Solutions LLC operates 22.214.171.124/19 which does have some legitimate sites in it, but since I have previously recommended blocking 126.96.36.199/24 and 188.8.131.52/24 and now with multiple servers on 184.108.40.206/24 also compromised then I suspect that temporarily blocking the entire /19 is the way to go.