Sometimes researchers have to go the extra mile to get to malicious IP detection

Where it was being detected in the first place:
https://viz.greynoise.io/ip/42.239.248.198

Where detection was partly being confirmed: https://maltiverse.com/search;query=42.239.248.198;page=1;sort=query_score

And at VirusTotal which had nothing of these flagged: https://www.virustotal.com/gui/ip-address/42.239.248.198/details
Here it was also missed: https://www.malwareurl.com/ip_listing.php?ASN=AS4837

polonus