Proofpoint security analysts have seen changes in the TTPs used by TA569 The changes entail a rise in injection types and a switch to different payloads. The threat group has been observed repeatedly reinfecting websites that have already undergone mitigation for malicious injections. This technique is known as strobing. Researchers have published domain rules for TA569-controlled domains that can be monitored and blocked to prevent the download of malware payloads.