Proofpoint’s Andrew Northern describes the injections used by TA569 to distribute various payloads, as well as what an end-user will see when visiting a compromised website. TA569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as SocGholish.
https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond