TA569 leverages many types of injections, traffic distribution systems (TDS), and payloads including, but not limited to, SocGholish.
In addition to serving as an initial access broker, these additional injects imply TA569 may be running a pay-per-install (PPI) service
TA569 may remove injections from compromised websites only to later re-add them to the same websites.
There are multiple opportunities for defense against TA569: educating users about the activity, using Proofpoint’s Emerging Threats ruleset to block the payload domains, and blocking .js files from executing in anything but a text editor.
