Caught it! It's a sneaky bastard, but it shows up if you visit from an IP that hasn't visited the site recently. I ended up tethering to my phone to catch it in the act (and toggling airplane mode to get a fresh IP). You'll see a script block at the bottom of the body that's responsible for the malware popunder. I didn't have any success with this on my Mac, so it might be doing user-agent checking as well.
Here's the source to the page I was served, in case it helps:
https://pastebin.com/dgDtPiCD