The first occurrence of the change has been spotted on 2013-06-12. Thanks to @Set_Abominae and @node5 for the tips.
NOTE: Information is based on a sample seen on 2013-06-17
The following pattern has been seen:
- new landing page expression - 'akulatori'
- introduction of JNLP file
- file extension for Java exploit changed from ZIP to JAR
- no POST request for the Initial Payload
- Initial Payload is stored XORed in the JAR file
- GET request to 'adyduxuzy.pl/qXKFD4Z7dHp5LnNtYWR5ZHVVdXp5LnA=' for what seems to be encoded configuration/data file