It didn’t last long. Soon after the publication of that article, the bad actors changed the links to use compromised third-party sites and a couple of day later they began using Google’s goo.gl URL shortening service.
This is a snippet from their decoded script:
The Redirect Chain
If you check Google’s own information about that shortened URL, it shows that the URL redirects to another Google owned URL maps.app.goo.gl which looks quite benign.
Source: Scuri check