Maybe I'm missing something, but whether the first stage points to Ars/Vimeo or directly to the bad-guys, the URL has to be hardcoded somewhere. I think the comment you replied to is probably on the right track; hiding behind a legit intermediary seems a lot less suspicious if someone inspects the payload on the drive.
The first stage points to arstechnica.com because that’s unlikely to be blocked or attract much attention (your IT guys would probably unblock it). The URL is set on that profile page but the person who controls it can change that any time they want without attracting attention so it’s not hardcoded in the way it would be if it was embedded in the malware executable.
