Hackers have begun using cross-site scripting to inject malicious iFrames onto some Web sites. The attack is a combination of two long-known techniques that have been quite effective in recent years. The attackers were directing victims to a site where they downloaded a rogue AV program, a familiar end-game for this kind of attack. Security vendor Zscaler saw the attacks as they happened and has details of the malicious URLs that the attack is using. The encoded HTML in each case is hexadecimal encoded HTML.
Source: https://threatpost.com/hackers-using-xss-insert-iframes-new-attack-121509/73260/