Author here - if anyone has any contacts at Cloudflare to get the proxied domains (at least roadpay[.]cc) taken down, that would be great. I wasn't able to get an abuse report to stick. Ditto for the related LinkedIn profile and Twitter accounts.
The C2 IP (89.124.107.161) and malware-serving git repo (144.124.244.92) are both hosted on VDSINA in Russia, so not sure if there's anything to do there.
If you're hosting malware today of course you want to host in Russia. Those are the only hosts that won't kick you off the internet or get kicked off the internet themselves for hosting malware. Check what happened to Tony Stark Solutions (or what was it called). Since they didn't police their customers harshly enough, the owners are in prison for aiding and abetting varied cyber-crimes.
Business establishments don't like to ban troublemakers. Bad for business. (Unless it gets enough bad press, then it becomes good for business).