This is what was shown to visitors of websites that used this PageFair service:
To give you a feel of how popular PageFair is, at least in terms of our user base, we pulled out hit statistics and found that it is ranked at 293 for the past 14 days. That’s higher than flickr.com (295), spotify.com (399), steampowered.com (406) and paypal.com (413). So this domain is quite a celebrity, which explained the spike that we saw during the breach.
During that time, we saw the malicious adobe_flashplayer_7.exe (6ad0393f506bc6e0a84f1325b3d75cca019c21bc) downloaded from these locations:
The malware served from these links is a RAT called NanoCore. NanoCore provides plugins such as those related to Network, Security products and Surveillance.
The C&C of the particular malware sample related to the PageFair compromise was alotpro2.dynu.com (184.108.40.206).
Users that had our product enabled were protected against this threat at the time of the compromise through the detection Trojan:W32/Golroted.6ad0393f50!Online.
For more information about the PageFair breach and the status, you may read more about it from this link.