Cisco has been tracking a threat actor (group) that compromises legitimate websites and redirects victims to EP landing pages. The challenge for threat actors is to redirect victims by force to the exploit landing page with sustained frequency. Over the past three months we observed the same actor using malvertising leveraging increased victim redirection as part of larger exploit pack campaigns. On April 1st, 2014 we began blocking specific malicious web requests from 186 users in 186 users. The requests were destined for the following thirteen domains (which we label stage two domains), all of which resolved to 77.245.75.237 (Redstation Limited Dedicated Server Hosting, Great Britain).”]
Source: https://blogs.cisco.com/security/year-long-exploit-pack-traffic-campaign-surges-after-leveraging-cdn